RE: [ActiveDir] Exchange Account in Outlook
I would make sure that you do not have any stored credentials on the machine. You do not mention the version of the OS of the client machine but in Windows XP and later there is a credential manager that can be used to store credentials and present them on behalf of the user. Go into control panel and see if any passwords are stored for the user accounts that are experiencing this. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Haritwal, Dhiraj [EMAIL PROTECTED] Sent: Thursday, January 18, 2007 11:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange Account in Outlook Hi All, We are having Exch2K Win 2K Domain. I am facing one strange problem that while I am configuring exchange account in outlook on a client machine, it’s not asking the user name/password mail is working fine like user is able to send/receive mail. All clients are on workgroup. Like all users are authenticating with anonymous/everyone. I have seen in the ESM Mailboxes, last logon of mostly users is showing with “Admin” Account. I can’t understand why this is happening. I hadn’t changed any settings. Dhiraj Haritwal This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Unable to logon after DCPromo - oddness
Since you can get to C$ can you get the dcpromo*.log files which may help determine what is going on. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, January 17, 2007 7:07 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unable to logon after DCPromo - oddness Dear collective, I'm hoping somebody can help out with a little problem I've got here. I've got a Windows 2003 R2 Server, which I've joined to a domain, and dcpromo'd. After the dcpromo and subsequent reboot, I can't logon to the server, either 'interactively' or via RDP, or using PsExec. I can access file shares, like c$, and I can point MMC snap-ins to the computer without problems. The fact that the server is now a DC seems to have replicated around just fine (all DCs show that the server is now in the Domain Controllers OU), but all the SRV records are missing. The system log is full of Netlogon 5774 events, suggesting I run dcdiag, which is a nice suggestion, but I can't log on to the server to do it. Another (healthy) DC's directory service logs shows plenty of event 1699s, complaining: The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address. Directory partition: CN=RID Manager$,CN=System,DC=domain,DC=co,DC=uk Network address: a5859b6d-e8a7-4b50-aab8-ba0e03d259f3._msdcs.domain.co.uk Extended request code: 2 Additional Data Error value: 8453 Replication access was denied. Has something gone horribly wrong here, or am I overlooking something simple that I'm going to kick myself about later? Any ideas appreciated, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Computer accounts getting deleted by unknown process
Well assuming that the deletion occurred recently I would go look in the deleted items folder and see if you have an object by that name in there. You can then look at the replication metadata and see where the delete originated. From that see if they are all coming from one DC or if there are patterns. If you have auditing turned up you could see who/what is deleting them. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 16, 2007 1:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process What's unique about the domain this is happening to? That strikes me as odd that it's occurring in one domain, but not all. I have yet to see accounts get deleted in Active Directory (any version) without a process that removes them. This could be a new experience for me, but I'm skeptical that a process doesn't exist that is removing accounts or preventing the replication (you did say they checked, but like I said, I'm skeptical of any process that picks on computer account security principals but leaves user security principals alone.) I have seen strange issues occur when anti virus apps that run on the domain controllers were thought to have been configured properly but weren't. I've seen instances where similar symptoms were presented but in the end we found out that a process was running that caused this issue. I've seen issues of DC promotions and DNS that ate the DNS zones, but that's not what you describe. So I'm interested to know what's unique about the domain it occurs in. I'm interested to know why it doesn't occur in the other domains? SP1 is highly recommended of course - lots of bug fixes and additional security changes. I'm not familiar with the client side apps you mention, but if the environment I work in currently is any indication old computer accounts don't become suicidal without provocation. Shame too On 1/16/07, Rich Milburn [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: I've found a little bit of info on this googling, and the results I'm finding seem to be related to replication problems, lack of SP1, or other issues with DCs that need to be reinstalled (reason not identified). What's happening is that computer accounts are getting deleted - most of them are ones that can't update their passwords because they have been turned off, or in the case of a group of users, their computers have Deep Freeze running on them, and those computers update their passwords but apparently the computers reset when they are rebooted so the password is reset to the old one too. But the issues are not isolated to these accounts. We do not have an automated process set up to delete these accounts. This is Server 2003, non-SP1 (that's scheduled for this Friday). There are no discovered replication errors, they have checked for those. We only have 6 DCs, two each for a root and two child domains, and this is happening in one of the child domains. Here is an example event that we are getting. If anyone has seen this before or has any ideas, we'll be most appreciative. Event Type: Error Event Source:NETLOGON Event Category: None Event ID: 5723 Date:1/16/2007 Time:9:21:28 AM User:N/A Computer: CORPDC2 Description: The session setup from computer 'ACCT-95XDP11' failed because the security database does not contain a trust account 'ACCT-95XDP11$' referenced by the specified computer. USER ACTION If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem: If 'ACCT-95XDP11$' is a legitimate machine account for the computer 'ACCT-95XDP11', then 'ACCT-95XDP11' should be rejoined to the domain. If 'ACCT-95XDP11$' is a legitimate interdomain trust account, then the trust should be recreated. Otherwise, assuming that 'ACCT-95XDP11$' is not a legitimate account, the following action should be taken on 'ACCT-95XDP11': If 'ACCT-95XDP11' is a Domain Controller, then the trust associated with 'ACCT-95XDP11$' should be deleted. If 'ACCT-95XDP11' is not a Domain Controller, it should be disjoined from the domain. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 8b 01 00 c0 --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION
RE: [ActiveDir] Computer accounts getting deleted by unknown process
Password change for the machine account is handled by the client and you could disable this so that you do not have the problem on the machines that are deep freezed. We also have a tool that education users often leverage that does something similar however we implemented a way to update the password secrete in the machines registry to avoid the rollback issue. The DC will remember the current and one previous password. If the machine comes up and uses the previous password then it will fall back however if the machine goes through two resets, by default 30 days+random offset up to 24 hours, then potentially when you fall back the trust relationship would not work as the DC only knows about the last two passwords. That being said other ISVs simply disable password changes on these systems since the password is randomly generated and generally strong for workstation class machines. As for the deletion that is not normal which is why I would be interested in the metadata if the objects are indeed in deleted items. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, January 16, 2007 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process Thanks Deji, I'll see what I can do (pun sorta intended) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 16, 2007 3:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process I had this issue a long time back with a similar product made by a previous employer. I won't go back into the details, but the problem is that computer passwords were being restored to previous states that no longer match those on the DCs at the present state. A manual or scripted rejoin is usually the cure. However, the computer objects themselves were not actually cleaned up, unlike in the case that Rich is now describing. Rich needs to eye-ball the directory itself and see whether or not the object actually disappeared when the problem manifests itself. Third-party eyes relaying information to the troubleshooter - not always reliable. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.comx-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Al Mulnick Sent: Tue 1/16/2007 1:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process In that case, you'll want to check out Steve's post and follow some of that advice. Since it's a computer resource domain topology, it should be relatively low traffic and easier to spot. Can you recreate it? Or is this just being reported retroactively? Better yet, how close are you to the situation? On 1/16/07, Rich Milburn [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Thanks Al. It's not that the domain is different, just that only one domain is used for computer accounts. The forest root isn't, and the other domain is relatively inactive until we put another area on AD, though it has a couple of user accounts. So all the computer accounts are in this domain (as well as almost all user accounts). I agree it's weird that nothing is touching user accounts. We do use Sophos, and Sophos is often referred to with 4 letters lately around here so I'll mention that to them... Deep Freeze apparently resets the computer to the state it was in before, so people can't change it. I'm not sure that the computer account password getting reset as part of it is a problem, I've been out of the loop on it. But it's not just those computers. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: mailto:[EMAIL PROTECTED]:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Tuesday, January 16, 2007 1:22 PM To:
RE: [ActiveDir] Computer accounts getting deleted by unknown process
And because I figure someone will ask what is this tool you talk about, did not have the link handy when I sent the mail. It is called the Microsoft shared Computer Toolkit for Windows XP which can be found here:http://www.microsoft.com/windowsxp/sharedaccess/default.mspx. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, January 16, 2007 5:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process Password change for the machine account is handled by the client and you could disable this so that you do not have the problem on the machines that are deep freezed. We also have a tool that education users often leverage that does something similar however we implemented a way to update the password secrete in the machines registry to avoid the rollback issue. The DC will remember the current and one previous password. If the machine comes up and uses the previous password then it will fall back however if the machine goes through two resets, by default 30 days+random offset up to 24 hours, then potentially when you fall back the trust relationship would not work as the DC only knows about the last two passwords. That being said other ISVs simply disable password changes on these systems since the password is randomly generated and generally strong for workstation class machines. As for the deletion that is not normal which is why I would be interested in the metadata if the objects are indeed in deleted items. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, January 16, 2007 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process Thanks Deji, I'll see what I can do (pun sorta intended) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 16, 2007 3:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process I had this issue a long time back with a similar product made by a previous employer. I won't go back into the details, but the problem is that computer passwords were being restored to previous states that no longer match those on the DCs at the present state. A manual or scripted rejoin is usually the cure. However, the computer objects themselves were not actually cleaned up, unlike in the case that Rich is now describing. Rich needs to eye-ball the directory itself and see whether or not the object actually disappeared when the problem manifests itself. Third-party eyes relaying information to the troubleshooter - not always reliable. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.comx-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Al Mulnick Sent: Tue 1/16/2007 1:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process In that case, you'll want to check out Steve's post and follow some of that advice. Since it's a computer resource domain topology, it should be relatively low traffic and easier to spot. Can you recreate it? Or is this just being reported retroactively? Better yet, how close are you to the situation? On 1/16/07, Rich Milburn [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Thanks Al. It's not that the domain is different, just that only one domain is used for computer accounts. The forest root isn't, and the other domain is relatively inactive until we put another area on AD, though it has a couple of user accounts. So all the computer accounts are in this domain (as well as almost all user accounts). I agree it's weird that nothing is touching user accounts. We do use Sophos, and Sophos is often referred to with 4 letters lately around here so I'll mention that to them... Deep Freeze apparently resets the computer to the state it was in before, so people can't change it. I'm not sure that the computer account password getting reset as part of it is a problem, I've been out of the loop on it. But it's not just those computers
RE: [ActiveDir] DNS problem. Periodically have to clear the cache
I am also interested in the answers to these questions especially OS version and SP level. We had a few issues with caching around in RTM and a few others around SP1. It is a long story but has to do with how the cache entries are organized in memory. The net affect was that certain lookups would cause the cache to have bad data that would cause the behavior you mention. If you could provide the version of DNS.EXE, full build number using something like filever.exe, that would also be helpful. The last issue I was aware of that exhibited these behaviors is documented here: http://support.microsoft.com/kb/903720/en-us . So I would be interested if you were experiencing the issue with a build beyond that one. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 16, 2007 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache How are these servers configured in TCP/IP? Who is forwarding to whom? And what is the SP level? If you want to take this off-list, you can do so by directly emailing me. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.comx-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 1/16/2007 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache Hi, I have 4 DNS servers, they are all AD integrated. 2 of them are supposed to be for internal used only, and the other 2 for the internet domain we have, unluckily they we never configured to be split DNS. Anyway, every none and then I have to clear the cache for the internal ones because they stop resolving for certain addresses. Sometimes I also have to update server data files for the DNS server to resolved certain names. Any help on how to troubleshoot this? Thanks Rezuma
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
It appears that you are having problems with slow link detection from the log below. You can try disabling it on the client to see if that corrects the problem by following the steps in this article for disabling slow link detection: http://support.microsoft.com/kb/910206/en-us. I would not recommend this as a long term solution but simply a troubleshooting step to see if it is indeed a problem with Slow link detection. I believe the LDAP error 59 later in the log is spurious and caused by the abortion of slow link detection. However just in case you can also validate that you can successfully make a DSGetDCName() call by using nltest /dsgetdc:domainname and see if it returns the same error on the machine in question? Let us know the results of each test an maybe we can provide some additional insight. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Donavon Yelton [EMAIL PROTECTED] Sent: Monday, January 15, 2007 6:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I have a new member server (Windows 2003 R2 x64) in my Windows 2003 domain (not R2). My setup contains two Windows 2003 DC's, both being DNS servers with the PDC being a WINS server. I have been working on a problem with a 1054 error in the event log for the mentioned Windows 2003 R2 x64 member server that has been added recently. Error 1054 as a refresh is the following: Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted. I worked on solutions all day Friday to no avail so I am seeking assistance on this matter. No other member of the domain has this error that I am aware of. SRV records for the DC's are in the DNS and is setup correctly on the troubled member server. I have looked through WINS and saw no apparent problems with its setup either. I have updated the drivers and firmware for the network cards in the new member server and in both DC's. I will say that I have a strange issue on my local PC from time to time (and I'll assume this happens on other domain member's PC's as well) where I cannot logon to Active Directory Users and Computers by using the domain as a locator, however I am able to go into it if I selectively choose a specific DC from the list. When running netdiag on the problem member server I see no issues and when running netdiag and dcdiag on the DC's I see no issues. I am able to get to SYSVOL from the problem member server by going to \\domain\sysvol\domainfile://\\domain\sysvol\domain. I have turned on logging of USERENV on the problem member server and I get this in the log: USERENV(37c.66c) 07:00:02:294 PingComputer: PingBufferSize set as 2048 USERENV(37c.66c) 07:00:02:294 PingComputer: Adapter speed 10 bps USERENV(37c.66c) 07:00:02:294 PingComputer: First time: 2482 USERENV(37c.66c) 07:00:02:294 PingComputer: Second time: 2482 USERENV(37c.66c) 07:00:02:294 PingComputer: First and second times match. USERENV(37c.66c) 07:00:02:294 PingComputer: First time: 2482 USERENV(37c.66c) 07:00:02:294 PingComputer: Second time: 2482 USERENV(37c.66c) 07:00:02:294 PingComputer: First and second times match. USERENV(37c.66c) 07:00:02:294 PingComputer: First time: 2482 USERENV(37c.66c) 07:00:02:294 PingComputer: Second time: 2482 USERENV(37c.66c) 07:00:02:294 PingComputer: First and second times match. USERENV(37c.66c) 07:00:02:294 PingComputer: No data available USERENV(37c.66c) 07:00:02:294 ProcessGPOs: DSGetDCName failed with 59. I am very close to calling Microsoft to help resolve the issue but I thought I'd run it by you guys. I'm in the unfortunate position of being the only IT personnel here and having to be a jack of all trades as it would be. I typically have no problem solving an issue like this, especially with the help of Google but this problem just goes beyond stumping me. Any help is appreciated. Donavon Yelton Manager of Information Systems Carpenter Industries, Inc. (704) 743-2068 http://www.dennis-carpenter.comhttp://www.dennis-carpenter.com/ THIS MESSAGE CONTAINS INFORMATION INTENDED ONLY FOR THE USE OF THE INDIVIDUAL OR ENTITY NAMED ABOVE. IF THE READER OF THIS MESSAGE IS NOT THE RECIPIENT, OR THE EMPLOYEE OR AGENT RESPONSIBLE TO DELIVER IT TO THE INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION, DISTRIBUTION OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE NOTIFY US IMMEDIATELY VIA RETURN-E-MAIL AND DELETE THIS MESSAGE FROM YOUR SYSTEM. THANK YOU. Carpenter Industries, Inc. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Disabled user + when
As Edward pointed out to really get the authoritative data you want you would need to have historic audit logs. Another less reliable method that you can use is to look at the replication metadata for the UserAccountControl attribute. This is the attribute that gets updated when the account is disabled. The problem is that this attribute is a collection of flags so if anyone changed any of the other settings such as User cannot change password after disabling the account the data will not be accurate. There are many tools that will show you the metadata on an object such as repadmin /showobjmeta. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ziots, Edward Sent: Wednesday, January 03, 2007 9:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabled user + when Then you are going to have to restore the logs from your server and sift through them from the last quarter. Good luck on that one You really need to invest in Eventlog Manager and Archival software for compliance issues, to really do what you want to do, the standard tools are not going to help you in this endeavor. EZ Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parag Nagwekar Sent: Wednesday, January 03, 2007 10:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabled user + when Thanks for the quick response. I don't have logs for more than 2 days on the DCs. They get overwritten due to size. Is there any other way? In future I will have monitoring to detect the event and send me an email for future reference. But right now I need information from the last quarter. Thanks -Parag From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ziots, Edward Sent: Wednesday, January 03, 2007 4:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabled user + when Auditing, You are looking for the following event ID. Event Type= Account Management Event ID 629 (User account disabled) Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parag Nagwekar Sent: Tuesday, January 02, 2007 9:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Disabled user + when Team, Is there way to find when user account was disabled in AD? Our sox auditor would like to see the list of users that accounts were disabled in last quarter plus the date when they were disabled. They will match this information with HR database. We can't rely on whenmodified attribute because helpdesk team takes a day or two to complete rest of the termination process on that account after account is disabled. -Parag
RE: [ActiveDir] DFS-R replication through a firewall
You can fix the port using DFSrdiag. See the following from: http://technet2.microsoft.com/WindowsServer/en/library/f9b98a0f-c1ae-4a9f-9724-80c679596e6b1033.mspx Can DFS Replication replicate between branch offices without a VPN connection? Yes-assuming that there is a private Wide Area Network (WAN) link (not the Internet) connecting the branch offices. However, you must open the proper ports in external firewalls. DFS Replication uses the RPC Endpoint Mapper (port 135) and a randomly assigned ephemeral port above 1024. You can use the Dfsrdiag command line tool to specify a static port instead of the ephemeral port. For more information about how to specify the RPC Endpoint Mapper, see article 154596 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=73991). Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Wednesday, December 20, 2006 6:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DFS-R replication through a firewall We open port 135 for our subnets only. We made changes to registry to force high ports through a range and open those ports in firewall policy. -Z.V. Almeida Pinto, Jorge de wrote: Hi Everyone, I assume everyone knows about: How to restrict FRS replication traffic to a specific static port http://support.microsoft.com/kb/319553 I was wondering about the configuration for DFS-R. Does anyone have experience with that working through a firewall? (instead of opening 135 and a range of high ports) Thanks! cheers, Jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DFS-R replication through a firewall
You can fix the port using DFSrdiag. See the following from: http://technet2.microsoft.com/WindowsServer/en/library/f9b98a0f-c1ae-4a9f-9724-80c679596e6b1033.mspx Can DFS Replication replicate between branch offices without a VPN connection? Yes-assuming that there is a private Wide Area Network (WAN) link (not the Internet) connecting the branch offices. However, you must open the proper ports in external firewalls. DFS Replication uses the RPC Endpoint Mapper (port 135) and a randomly assigned ephemeral port above 1024. You can use the Dfsrdiag command line tool to specify a static port instead of the ephemeral port. For more information about how to specify the RPC Endpoint Mapper, see article 154596 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=73991). Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Wednesday, December 20, 2006 6:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DFS-R replication through a firewall We open port 135 for our subnets only. We made changes to registry to force high ports through a range and open those ports in firewall policy. -Z.V. Almeida Pinto, Jorge de wrote: Hi Everyone, I assume everyone knows about: How to restrict FRS replication traffic to a specific static port http://support.microsoft.com/kb/319553 I was wondering about the configuration for DFS-R. Does anyone have experience with that working through a firewall? (instead of opening 135 and a range of high ports) Thanks! cheers, Jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] AD admin tool for Vista
Interestingly enough if you search with your favorite search engine, mine is of course www.live.comhttp://www.live.com J, you will find that those steps were blogged in many locations. That being said can you describe what icons are not recognizable, or post a small screenshot(no need for full 32bit bmp) sounds like one of the DLLs may not of registered correctly that had the resources in it. Subsequently I posted that launching the MSI from an elevated command prompt would correctly register all of the resources. That being said we are working through a number of issues with some of the Snap-ins when run under Vista and those are working themselves through the Sustained Engineering (AKA QFE) process as we speak. As far as an Adminpack for Vista no official release date has been given but I will unofficially say I would not expect to see anything prior to Longhorn ship. If I see any additional updates of official communication around Vista and Admin tools I will pass it along and this sounds like a great thing to ask the development team for any of you traveling to DEC. J Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 16, 2006 5:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD admin tool for Vista Any answers would simply be guesses but I honestly wouldn't expect anything until Longhorn release time frames. Note that those Petri instructions initially were posted to this list by Steve Linehan (Microsoft). -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lu, WeiMing Sent: Friday, December 15, 2006 7:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD admin tool for Vista Does anyone know when Microsoft will release Adminpak for Vista? The following link is the only solution now? I followed the instruction, and was able to snap in to MMC, but all AD objects become not-recognizable icon. Thanks. http://www.petri.co.il/running_win_2003_adminpak_on_vista_rtm.htm
RE: [ActiveDir] AD admin tool for Vista
After reviewing a screen shot that I was sent offline it was determined that this was a known issue. I guess I had not looked closely enough at the icons once you drilled into a user. It turns out that some of the default icons that ADUC and other snapins used in Windows Server 2003 were changed and therefore you get generic icons in Vista. Sustained Engineering is aware of the issue and has an active bug tracking this. I do not have an ETA on when this issue will be corrected. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Monday, December 18, 2006 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD admin tool for Vista Interestingly enough if you search with your favorite search engine, mine is of course www.live.comhttp://www.live.com J, you will find that those steps were blogged in many locations. That being said can you describe what icons are not recognizable, or post a small screenshot(no need for full 32bit bmp) sounds like one of the DLLs may not of registered correctly that had the resources in it. Subsequently I posted that launching the MSI from an elevated command prompt would correctly register all of the resources. That being said we are working through a number of issues with some of the Snap-ins when run under Vista and those are working themselves through the Sustained Engineering (AKA QFE) process as we speak. As far as an Adminpack for Vista no official release date has been given but I will unofficially say I would not expect to see anything prior to Longhorn ship. If I see any additional updates of official communication around Vista and Admin tools I will pass it along and this sounds like a great thing to ask the development team for any of you traveling to DEC. J Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 16, 2006 5:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD admin tool for Vista Any answers would simply be guesses but I honestly wouldn't expect anything until Longhorn release time frames. Note that those Petri instructions initially were posted to this list by Steve Linehan (Microsoft). -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lu, WeiMing Sent: Friday, December 15, 2006 7:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD admin tool for Vista Does anyone know when Microsoft will release Adminpak for Vista? The following link is the only solution now? I followed the instruction, and was able to snap in to MMC, but all AD objects become not-recognizable icon. Thanks. http://www.petri.co.il/running_win_2003_adminpak_on_vista_rtm.htm
RE: [ActiveDir] OT: Quota Software
Windows Server 2003 R2 not only improved on the quota management built into the product, allowing granularity down to the user, but also added reporting and file screening. You can find more information on these new features at the following links: http://www.microsoft.com/technet/technetmag/issues/2006/05/GetControl/default.aspx http://download.microsoft.com/download/7/4/7/7472bf9b-3023-48b7-87be-d2cedc38f15a/WS03R2_Storage_Management.doc Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Tuesday, December 12, 2006 1:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Quota Software We use a 3rd party app SpaceGuard SRM from www.tools4ever.com on our file servers to implement directory level (rather than user level) disk quotas, monitor usage, send email to users when they get close or hit the quota, etc. I can monitor and manage quotas from a single client workstation and have setup automatic quotas for Home Directories. Spaceguard works fine for our single site. We did not try the built in Windows quota at the time we switched to AD 4 years ago because the quota was by user. It may have gotten better in win2k3. Michael J. Miller Computing Services College of Veterinary Medicine, UIUC _ Mark Parris wrote: All, I have been tasked with implementing disk quota's for corporate users the some of the data is centralised and some is stored on regional file servers, but no user has data spead over more than one server or location. Whilst I understand the concepts I have never implemented quota software so can anyone recommend a quota management software that works? The software must be configurable to a user or a group and not at the volume level. A nice to have would be storage billing. Any gotchas? Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Please help me
What service pack level are you at? It will disappear in ~ 14 days due to the Replication Topology Stay of Execution functionality. You can read more about it here: http://technet2.microsoft.com/WindowsServer/en/library/1465d773-b763-45ec-b971-c23cdc27400e1033.mspx under the section How Replication Metadata is Preserved in Windows Server 2003. You can go in and manually remove all of the entries using repadmin but that is overkill and this will clean itself up soon. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, December 08, 2006 7:08 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Please help me About 1 week I can´t find it in Sites and Services Adrião Ferreira Ramos [cid:image001.jpg@01C71A9D.5C0C8320] Depto. de Operações e Infra-Estrutura - CII.14 [cid:image002.gif@01C71A9D.5C0C8320] [EMAIL PROTECTED] [cid:image003.jpg@01C71A9D.5C0C8320] (11) 3388.8193 Al Mulnick [EMAIL PROTECTED] Enviado Por: [EMAIL PROTECTED] 07/12/2006 17:35 Favor responder a ActiveDir@mail.activedir.org Para ActiveDir@mail.activedir.org cc Assunto Re: [ActiveDir] Please help me How long ago was it dcpromoed out? DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC On 12/7/06, Thompson, Elizabeth [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Check and see if it still has the dead server listed under its the NTDS Settings in AD Sites and Services. Had this happen once to me. I manually deleted the NTDS reference and it was happy. Elizabeth Thompson Service and Support Technician/Exchange Admin Information Technology Services The Community College of Baltimore County From: [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 10:50 AM To: ActiveDir@mail.activedir.orgmailto:ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.orgmailto:ActiveDir@mail.activedir.org; [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] Subject: [ActiveDir] Please help me I have a strange problem and can not find any solution I used DCpromo to depromote a computer. It worked ok, the Domain controller was depromoted. But when I use repadmin to show other dc´s replication, it show replications from the domain controler depromoted. I didn´t find anything to explain how to solve that. Where can I find it, to remove it from replication. The machine is a network computer, but replication fails with message: SPO-COSTA\SPO-CENTRO5 -- (THIS IS THE DOMAIN CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE) DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS USNs: 13018091/OU, 13018091/PU Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): A operação de agente do sistema de diretórios (DSA) não pode prosseg uir devido a uma falha de pesquisa de DNS. 96 consecutive failure(s). Last success @ 2006-12-01 07:58:08. Adrião Ferreira Ramos [cid:image001.jpg@01C71A9D.5C0C8320] Depto. de Operações e Infra-Estrutura - CII.14 [cid:image002.gif@01C71A9D.5C0C8320] [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] [cid:image003.jpg@01C71A9D.5C0C8320] (11) 3388.8193 Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If
RE: [ActiveDir] Enterprise Domain Controllers group missing...
You have to upgrade or install one of the servers in each domain to Windows Server 2003 and then transfer the PDC Emulator role to the upgraded or added Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC Emulator FSMO role it will create these new security principals. This is documented under the section titled Windows Server 2003 Well Known Security Principals in the following link: http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.. - I can confirm we do not have an Enterprise Domain Controllers group in any of the domains. - I have found the following article http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true which shows how to fix the GPO issue using GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the group Enterprise Domain Controllers available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group Enterprise Domain Controllers can be recreated with the correct SID of S-1-5-9 so that we can run the script GrantPermissionOnAllGPOs.wsf to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Sorry read and responded to this to fast you should have an Enterprise Domain Controllers group however it becomes a member of Windows Authorization Access group after the PDC upgrade. You will be missing some of the other Groups and Security Principals listed in that section until the PDC is upgraded. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Steve Linehan [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... You have to upgrade or install one of the servers in each domain to Windows Server 2003 and then transfer the PDC Emulator role to the upgraded or added Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC Emulator FSMO role it will create these new security principals. This is documented under the section titled Windows Server 2003 Well Known Security Principals in the following link: http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.. - I can confirm we do not have an Enterprise Domain Controllers group in any of the domains. - I have found the following article http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true which shows how to fix the GPO issue using GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the group Enterprise Domain Controllers available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group Enterprise Domain Controllers can be recreated with the correct SID of S-1-5-9 so that we can run the script GrantPermissionOnAllGPOs.wsf to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Apply a Group Policy to all but one user
Create a group that has read and apply policy and assign the users to that group and leave the boss out. Or you could just deny the boss the read/apply rights for that GPO. I am not big into denies. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alberto Oviedo Sent: Thursday, October 19, 2006 4:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Apply a Group Policy to all but one user I have 8 users in a OU (including my boss). I need to apply a group policy to that OU but leave out my boss. How can I filter that user without moving him out of the OU?
RE: [ActiveDir] Replication Problems and Tombstoned Objects
This is likely going to be very difficult to get out of since you changed the schema before instantiated objects replicated end to end. This is why there are strong recommendations to do testing and use LDIF files instead of editing the schema in the schema editor for extensions like this. I have one idea that may work but I need to test it after reproducing a similar situation. This will likely take quite of bit of work to reverse and as Al suggested an incident with PSS would likely lead to a faster resolution as this is not a common issue to work around. While you could try to reverse each change and some of the objects would replicate since you have a mixed set of objects instantiated at different times this could be difficult. You could then delete the objects but they will not be cleaned up until tombstone lifetime is up and garbage collection has run. You will still be stuck with the schema extension until you get to 2003 Forest mode where you can defunct it. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, September 25, 2006 1:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Ah, this may make more sense, but in a different way possibly. There were two extensions that were done now that I got done talking to him. GroupOfURLs as talked about before, and also memberURL. Apparantly, for what he was trying to do, groupOfURLs was attached to this object, but did not work out as what he had hoped for. So to try and get it to work, he actually attached memberURL as a maycontain of the group class. Basically, the extensions were created. This object was created. GroupOfURLs was added as a maycontain to this particular object. It did not work out as intended. Then memberURL was added as a maycontain to Group. At least this is the information I am getting from the other admin. Any thoughts? Thanks, ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Monday, September 25, 2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects I am evidently still recovering from jet lag. Only attributes can be defined in maycontain. I am guessing that at one point groupofURLs was defined as a subclass of group. Without knowing exactly what was changed in the schema it is hard to say how you got here. You could try changing the subclass assuming you have not instantiated any more objects using this class. I am still unclear on how one object has an additional class listed that is different from the rest. Thanks, -Steve -Original Message- From: WATSON, BEN [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 9/25/06 11:12 AM Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Well, I just attempted to add group and groupOfNames into the groupofURLs objectclass as a maycontain and I get an error when attempting this process that states Schema update failed: attribute in may-contain does not exist. Hmm... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Sunday, September 24, 2006 9:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Yes. Thanks, -Steve -Original Message- From: WATSON, BEN [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 9/24/06 11:21 PM Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Hi Steve, Just to make sure I understand, do you mean I should add back group and groupOfNames as a maycontain to the groupofURLs objectclass? Thanks, ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Sunday, September 24, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Ben, I believe all of the objects of this class will cause the same problem because it appears they were created and the schema was changed after they were instantiated. One way to correct the problem may be to add back group and groupOfNames classes to the groupofURLs schema definition. I would of course test doing this first and also follow up with whoever was responsible for the original schema change to determine exactly what they did which would allow you to reverse the changes. If you were on Windows Server 2003 and in Forest Functional Level 2, i.e. Windows 2003 Forest Functional Level, you could have defunct the schema change. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Sunday, September 24, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems
RE: [ActiveDir] Replication Problems and Tombstoned Objects
I am evidently still recovering from jet lag. Only attributes can be defined in maycontain. I am guessing that at one point groupofURLs was defined as a subclass of group. Without knowing exactly what was changed in the schema it is hard to say how you got here. You could try changing the subclass assuming you have not instantiated any more objects using this class. I am still unclear on how one object has an additional class listed that is different from the rest. Thanks, -Steve -Original Message- From: WATSON, BEN [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 9/25/06 11:12 AM Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Well, I just attempted to add group and groupOfNames into the groupofURLs objectclass as a maycontain and I get an error when attempting this process that states Schema update failed: attribute in may-contain does not exist. Hmm... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Sunday, September 24, 2006 9:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Yes. Thanks, -Steve -Original Message- From: WATSON, BEN [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 9/24/06 11:21 PM Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Hi Steve, Just to make sure I understand, do you mean I should add back group and groupOfNames as a maycontain to the groupofURLs objectclass? Thanks, ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Sunday, September 24, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Ben, I believe all of the objects of this class will cause the same problem because it appears they were created and the schema was changed after they were instantiated. One way to correct the problem may be to add back group and groupOfNames classes to the groupofURLs schema definition. I would of course test doing this first and also follow up with whoever was responsible for the original schema change to determine exactly what they did which would allow you to reverse the changes. If you were on Windows Server 2003 and in Forest Functional Level 2, i.e. Windows 2003 Forest Functional Level, you could have defunct the schema change. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Sunday, September 24, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Steve, So do you see anything obviously wrong that I could make a correction on to repair replication? Also, is there anything I can follow up on in regards to your comments about the objectclass being updated with a value that is not a subclass? It's pretty obvious that the blockage is origination from something about this now deleted object ( dn:CN=InfowebAccess\0ADEL:e988-616b-4944-bbe1-c8265cf4cc89,CN=Delete d Objects,DC=appsig,DC=com). I just don't know what I can do with it at this point. C:\tools\err\Errerr 20b4 # for hex 0x20b4 / decimal 8372 : ERROR_DS_OBJ_CLASS_NOT_SUBCLASS winerror.h # The specified class is not a subclass. # 1 matches found for 20b4 I should be able to get more information for you tomorrow. ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Sunday, September 24, 2006 12:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Ben, We really need to find out exactly what was defined in the schema when to determine how this occurred. From the information provided it would appear that the groupofURLs class was defined in the schema and objects were instantiated and then its definition was changed. This could explain why the in-site DCs have the objects and out of site ones do not, schema partition changes replicate at a higher priority than domain partition changes so when these got bulked up for out of site replication the objects no longer met the schema definition, i.e. the subclass of group is no longer defined for the object. These objects do not appear to fit the definition of the groupofURLs class as it is now defined and are therefore causing replication to be blocked. This is of course all a hypothesis as I do not have the details on exactly what changes were made when to the schema. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Saturday, September 23, 2006 5:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Hi Steve, Yes, there were some schema modifications one of the other admins
RE: [ActiveDir] Replication Problems and Tombstoned Objects
Ben,
We really need to find out exactly what was defined in the schema when to
determine how this occurred. From the information provided it would appear
that the groupofURLs class was defined in the schema and objects were
instantiated and then its definition was changed. This could explain why the
in-site DCs have the objects and out of site ones do not, schema partition
changes replicate at a higher priority than domain partition changes so when
these got bulked up for out of site replication the objects no longer met the
schema definition, i.e. the subclass of group is no longer defined for the
object. These objects do not appear to fit the definition of the groupofURLs
class as it is now defined and are therefore causing replication to be blocked.
This is of course all a hypothesis as I do not have the details on exactly
what changes were made when to the schema.
Thanks,
-Steve
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 5:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects
Hi Steve,
Yes, there were some schema modifications one of the other admins was
working on to deploy an application that would allow for people to use
their Windows accounts to log into our Intrasite (they were formerly
using their Unix accounts). He had tested this on our test network,
which is a copy of our production network, upgraded to Windows 2003 R2
and also has the Longhorn schema extensions applied as well. From what
I understand, it experienced no ill effects, however it is a single site
test network.
Here is the output from the groupOfURLs extension.
AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006
Using server: appsig-av.appsig.com:389
Directory: Windows 2000
Base DN: CN=Schema,CN=Configuration,DC=appsig,DC=com
dn:CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com
adminDisplayName: groupOfURLs
cn: groupOfURLs
defaultObjectCategory:
CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com
governsID: 2.16.840.1.113730.3.2.33
instanceType: 4
lDAPDisplayName: groupOfURLs
mayContain: memberURL
distinguishedName:
CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com
objectCategory:
CN=Class-Schema,CN=Schema,CN=Configuration,DC=appsig,DC=com
objectClass: top
objectClass: classSchema
objectClassCategory: 0
objectGUID: {2B09EA58-1A00-4170-B419-9ADC0AA0B655}
possSuperiors: container
name: groupOfURLs
rDNAttID: cn
schemaIDGUID: {8B5ACDC4-EAF2-45D9-A596-C196ABD02405}
showInAdvancedViewOnly: TRUE
subClassOf: top
systemOnly: FALSE
uSNChanged: 7985664
uSNCreated: 7985664
whenChanged: 20060913180400.0Z
whenCreated: 20060913180359.0Z
There are currently 4 other objects that have the groupofURLs listed as
an objectClass.
dn:CN=InfowebDept12,OU=InfowebGroups,DC=appsig,DC=com
objectClass: top
objectClass: groupOfURLs
objectClass: group
dn:CN=InfowebDept24,OU=InfowebGroups,DC=appsig,DC=com
objectClass: top
objectClass: groupOfURLs
objectClass: groupOfNames
objectClass: group
dn:CN=InfowebDept25,OU=InfowebGroups,DC=appsig,DC=com
objectClass: top
objectClass: groupOfURLs
objectClass: group
dn:CN=InfowebSection581,OU=InfowebGroups,DC=appsig,DC=com
objectClass: top
objectClass: groupOfURLs
objectClass: group
Let me know if you need anything else.
Thanks,
~Ben
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Saturday, September 23, 2006 1:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects
Actually looking at this further you will probably find that the schemas
are in sync, i.e. the groupofURLs object class is defined across all of
the servers. I say that because the error you would have gotten if it
did not exist on the target would have been either schema mismatch or
ERROR_DS_OBJ_CLASS_NOT_DEFINED. So what I suspect is that groupofURLs
is not defined properly or is being referenced incorrectly. Can you
dump the schema entry for this class from one of your servers snd post
it? Also if you have the LDIF file that was used to update the schema
that includes the definition of this object class that would be great as
well. What I do not understand is how you have an object defined this
way as I would have expected us to block creation of the object if this
class is not defined/referenced properly. Any information on how the
schema was modified and how these objects were created would be helpful.
The fix will likely be to remove the groupofurls objectclass from the
object but you need to determine how you got to this point so that it
does not occur again.
Thanks,
-Steve
From: [EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Saturday, September 23, 2006 2:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects
Ben
RE: [ActiveDir] Replication Problems and Tombstoned Objects
Ben,
I believe all of the objects of this class will cause the same problem
because it appears they were created and the schema was changed after they were
instantiated. One way to correct the problem may be to add back group and
groupOfNames classes to the groupofURLs schema definition. I would of course
test doing this first and also follow up with whoever was responsible for the
original schema change to determine exactly what they did which would allow you
to reverse the changes. If you were on Windows Server 2003 and in Forest
Functional Level 2, i.e. Windows 2003 Forest Functional Level, you could have
defunct the schema change.
Thanks,
-Steve
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Sunday, September 24, 2006 3:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects
Steve,
So do you see anything obviously wrong that I could make a correction on
to repair replication? Also, is there anything I can follow up on in
regards to your comments about the objectclass being updated with a
value that is not a subclass? It's pretty obvious that the blockage is
origination from something about this now deleted object (
dn:CN=InfowebAccess\0ADEL:e988-616b-4944-bbe1-c8265cf4cc89,CN=Delete
d Objects,DC=appsig,DC=com). I just don't know what I can do with it at
this point.
C:\tools\err\Errerr 20b4
# for hex 0x20b4 / decimal 8372 :
ERROR_DS_OBJ_CLASS_NOT_SUBCLASS
winerror.h
# The specified class is not a subclass.
# 1 matches found for 20b4
I should be able to get more information for you tomorrow.
~Ben
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Sunday, September 24, 2006 12:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects
Ben,
We really need to find out exactly what was defined in the schema when
to determine how this occurred. From the information provided it would
appear that the groupofURLs class was defined in the schema and objects
were instantiated and then its definition was changed. This could
explain why the in-site DCs have the objects and out of site ones do
not, schema partition changes replicate at a higher priority than domain
partition changes so when these got bulked up for out of site
replication the objects no longer met the schema definition, i.e. the
subclass of group is no longer defined for the object. These objects do
not appear to fit the definition of the groupofURLs class as it is now
defined and are therefore causing replication to be blocked. This is of
course all a hypothesis as I do not have the details on exactly what
changes were made when to the schema.
Thanks,
-Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 5:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects
Hi Steve,
Yes, there were some schema modifications one of the other admins was
working on to deploy an application that would allow for people to use
their Windows accounts to log into our Intrasite (they were formerly
using their Unix accounts). He had tested this on our test network,
which is a copy of our production network, upgraded to Windows 2003 R2
and also has the Longhorn schema extensions applied as well. From what
I understand, it experienced no ill effects, however it is a single site
test network.
Here is the output from the groupOfURLs extension.
AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006
Using server: appsig-av.appsig.com:389
Directory: Windows 2000
Base DN: CN=Schema,CN=Configuration,DC=appsig,DC=com
dn:CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com
adminDisplayName: groupOfURLs
cn: groupOfURLs
defaultObjectCategory:
CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com
governsID: 2.16.840.1.113730.3.2.33
instanceType: 4
lDAPDisplayName: groupOfURLs
mayContain: memberURL
distinguishedName:
CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com
objectCategory:
CN=Class-Schema,CN=Schema,CN=Configuration,DC=appsig,DC=com
objectClass: top
objectClass: classSchema
objectClassCategory: 0
objectGUID: {2B09EA58-1A00-4170-B419-9ADC0AA0B655}
possSuperiors: container
name: groupOfURLs
rDNAttID: cn
schemaIDGUID: {8B5ACDC4-EAF2-45D9-A596-C196ABD02405}
showInAdvancedViewOnly: TRUE
subClassOf: top
systemOnly: FALSE
uSNChanged: 7985664
uSNCreated: 7985664
whenChanged: 20060913180400.0Z
whenCreated: 20060913180359.0Z
There are currently 4 other objects that have the groupofURLs listed as
an objectClass.
dn:CN=InfowebDept12,OU=InfowebGroups,DC=appsig,DC=com
objectClass: top
objectClass: groupOfURLs
objectClass: group
dn:CN=InfowebDept24,OU=InfowebGroups,DC=appsig,DC=com
objectClass: top
objectClass: groupOfURLs
objectClass: groupOfNames
RE: [ActiveDir] Replication Problems and Tombstoned Objects
Yes. Thanks, -Steve -Original Message- From: WATSON, BEN [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 9/24/06 11:21 PM Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Hi Steve, Just to make sure I understand, do you mean I should add back group and groupOfNames as a maycontain to the groupofURLs objectclass? Thanks, ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Sunday, September 24, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Ben, I believe all of the objects of this class will cause the same problem because it appears they were created and the schema was changed after they were instantiated. One way to correct the problem may be to add back group and groupOfNames classes to the groupofURLs schema definition. I would of course test doing this first and also follow up with whoever was responsible for the original schema change to determine exactly what they did which would allow you to reverse the changes. If you were on Windows Server 2003 and in Forest Functional Level 2, i.e. Windows 2003 Forest Functional Level, you could have defunct the schema change. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Sunday, September 24, 2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Steve, So do you see anything obviously wrong that I could make a correction on to repair replication? Also, is there anything I can follow up on in regards to your comments about the objectclass being updated with a value that is not a subclass? It's pretty obvious that the blockage is origination from something about this now deleted object ( dn:CN=InfowebAccess\0ADEL:e988-616b-4944-bbe1-c8265cf4cc89,CN=Delete d Objects,DC=appsig,DC=com). I just don't know what I can do with it at this point. C:\tools\err\Errerr 20b4 # for hex 0x20b4 / decimal 8372 : ERROR_DS_OBJ_CLASS_NOT_SUBCLASS winerror.h # The specified class is not a subclass. # 1 matches found for 20b4 I should be able to get more information for you tomorrow. ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Sunday, September 24, 2006 12:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Ben, We really need to find out exactly what was defined in the schema when to determine how this occurred. From the information provided it would appear that the groupofURLs class was defined in the schema and objects were instantiated and then its definition was changed. This could explain why the in-site DCs have the objects and out of site ones do not, schema partition changes replicate at a higher priority than domain partition changes so when these got bulked up for out of site replication the objects no longer met the schema definition, i.e. the subclass of group is no longer defined for the object. These objects do not appear to fit the definition of the groupofURLs class as it is now defined and are therefore causing replication to be blocked. This is of course all a hypothesis as I do not have the details on exactly what changes were made when to the schema. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Saturday, September 23, 2006 5:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Hi Steve, Yes, there were some schema modifications one of the other admins was working on to deploy an application that would allow for people to use their Windows accounts to log into our Intrasite (they were formerly using their Unix accounts). He had tested this on our test network, which is a copy of our production network, upgraded to Windows 2003 R2 and also has the Longhorn schema extensions applied as well. From what I understand, it experienced no ill effects, however it is a single site test network. Here is the output from the groupOfURLs extension. AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: appsig-av.appsig.com:389 Directory: Windows 2000 Base DN: CN=Schema,CN=Configuration,DC=appsig,DC=com dn:CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com adminDisplayName: groupOfURLs cn: groupOfURLs defaultObjectCategory: CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com governsID: 2.16.840.1.113730.3.2.33 instanceType: 4 lDAPDisplayName: groupOfURLs mayContain: memberURL distinguishedName: CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=appsig,DC=com objectClass: top objectClass: classSchema objectClassCategory: 0 objectGUID
RE: [ActiveDir] Replication Problems and Tombstoned Objects
from source server e928ad23-039d-4dbd-b214-f88b4ae54819._msdcs.appsig.com. An error occurred during the application of the changes to the directory database on this system. The error message is: The replication system encountered an internal error. The directory will try to update the object later on the next replication cycle. Synchronization of this server with the source is effectively blocked until the update problem is corrected. If this condition appears to be related to a resource shortage, please stop and restart this Windows Domain Controller. If this condition is an internal error, a database error, or an object relationship or constraint error, manual intervention will be required to correct the database and allow the update to proceed. It is valuable to note that the problem is caused by the fact that the change on the remote system cannot be applied locally. Manually updating the objects on the local system in not recommended. Instead, on the source system (which has the changes already), try to reverse or back out the change. Then, on the next replication cycle, observe whether the change can now be applied locally. The record data is the status code. Event ID: 1085 - Category: Replication - Type: Warning Replication warning: The directory replication agent (DRA) couldn't synchronize partition DC=appsig,DC=com with partition on directory server b04a1a6f-dae6-4795-bb91-9805f458c9d5._msdcs.appsig.com. The error was: The replication system encountered an internal error. Please verify that the address can be resolved with DNS, and that it is reachable via the transport. If this error persists, the KCC will reconfigure the links around this server. The record data is the status code. Event ID: 1061 - Category: Replication - Type: Warning Internal error: The directory replication agent (DRA) call returned error 8442. That's all of it. If you need me to get any further information, let me know and I'll get it immediately. Thank you for your help! ~Ben From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Fri 9/22/2006 8:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects You could also turn up additional logging which would give more details as to what the internal error is. I would suggest starting with the following: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 1. Locate the 5 Replication Events value under the above key. 2. On the Edit menu, click DWORD, type 4, and then click OK. 3. Locate the 9 Internal Processing value under the same key. 4. On the Edit menu, click DWORD, type 1, and then click OK. After you do this post the full event text for the error and any additional replication or internal processing errors. I would expect to get back an Exception value with parameters and an internal id. These can be used to determine what is causing the problem. To answer your original question the tombstoned object will only be removed once the tombstone lifetime is reached and garbage collection has run. I would not recommend changing the tombstone lifetime to correct this as it is forest wide and can lead to more serious problems than you currently have. We should be able to determine the cause of the internal error and correct it without taking such risky and drastic measures. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Vinnie Cardona Sent: Friday, September 22, 2006 9:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects What event id are you seeing associate with this error? Vinnie Cardona Systems Administrator Ernest Health, Inc Information Technology Dept 505.798.6472 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BEN Sent: Friday, September 22, 2006 6:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Problems and Tombstoned Objects Our forest is currently experiencing some replication issues. The common error we have been receiving has revolved around a single object. To summarize, how do you permanently delete Active Directory objects? More specifically, how do you remove an object that is already tombstoned? Here is why I need to do this, here is the full error... --- Replication error: The directory replication agent (DRA) couldn't update object CN=InfowebAccess,OU=InfowebGroups,DC=appsig,DC=com (GUID e988-616b-4944-bbe1-c8265cf4cc89) on this system with changes which have been received from source server e928ad23-039d-4dbd-b214-f88b4ae54819._msdcs.appsig.com. An error occurred during the application of the changes to the directory database on this system. The error message is: The replication system encountered an internal error. The directory will try to update the object later on the next replication cycle. Synchronization of this server
RE: [ActiveDir] Replication Problems and Tombstoned Objects
Ben, It would appear that the schema was modified on the source servers but does not match on the destination servers. I am not aware of a default objectclass called groupofURLs. Is this something that you modified recently? Can you dump the definition of this objectclass from a schema on the source and verify that the schema on the target does not match? Can you also send me a repadmin /showreps /v from a source and target. It would appear that you have a schema modification gone bad. Can you also search and see if you have any other objects on the source DC that have that objectclass listed? Thanks, -Steve From: [EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Saturday, September 23, 2006 2:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Hi Steve, First off, thanks for all your help, you are always incredibly helpful. Here’s the output you requested from the source server. dn:CN=InfowebAccess\0ADEL:e988-616b-4944-bbe1-c8265cf4cc89,CN=Deleted Objects,DC=appsig,DC=com objectClass: top objectClass: groupOfURLs objectClass: group I should note though that this object NEVER replicated to other sites. So the only output I can give you is from the source DC. At least on the surface, this object seems to be the source of the replication issues. Thanks again, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Friday, September 22, 2006 11:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Can you dump the objectclass attribute on the deleted object mentioned in the error on one of the source servers and a destination server? The second error code in the internal error event log seems to indicate that the objectclass is being updated with a value that is not a subclass. C:\tools\err\Errerr 20b4 # for hex 0x20b4 / decimal 8372 : ERROR_DS_OBJ_CLASS_NOT_SUBCLASS winerror.h # The specified class is not a subclass. # 1 matches found for 20b4 Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Saturday, September 23, 2006 1:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Correction, 10 domain controllers in 9 sites. From: WATSON, BEN Sent: Friday, September 22, 2006 10:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Basic info and troubleshooting I've done to gather symptom information... We are running a single forest, single domain Windows 2000 environment (I know, I know, I'm in the process of getting this ugpraded to Win2k3 R2) with 9 domain controllers and 8 sites. Three of the sites are hub sites, and each hub site has 2 spoke sites. Our main hub site has 2 domain controllers, and all other remote sites have a single domain controller. The replication issues are actually affecting an entire site, unfortunately our main hub site (the one with 2 domain controllers). Oddly enough, it's not Domain Controller specific, the problem is actually site specific, and even more specifically, it's only affecting replication traffic OUTBOUND from the site. Inbound replication traffic works fine as well as replication between the two domain controllers inside the site. At first, I thought the domain controller that was acting as a Bridgehead for our site was having issues, so I forced the other domain controller in the site to be the preferred bridgehead server, deleted all the connection objects, and allowed the KCC to recreate the connection objects. It did this properly. I then attempted to force replication to take place, and the same symptoms still persisted even though it was a completely different domain controller attempting to perform the intersite replication. Here are the results of performing a, REPADMIN /REPLADMIN /BYSRC /BYDEST /SORT:DELTA command. Appsig-AV and Appsig-AD are the two domain controllers in the problem site. Appsig-AD was the original DC that began showing problems in the site, and Appsig-AV is the domain controller I switched over to test intersite replication using a different DC. Replication Summary Start Time: 2006-09-22 21:59:43 Beginning data collection for replication summary, this may take awhile: . Source DC largest delta fails/total %% error APPSIG-MDOPC 14m:06s0 / 180 APPSIG-LAOPC 10m:09s0 / 120 APPSIG-TXOPC 09m:52s0 / 30 APPSIG-OCOPC 09m:52s0 / 30 APPSIG-OROPC 02m:48s0 / 60 APPSIG-UTOPC 02m:46s0 / 60 APPSIG-DCOPC 02m:08s0 / 30 APPSIG-VAOPC 02m:08s0 / 30 APPSIG-AV (unknown)4 / 15 26 (8442
RE: [ActiveDir] Replication Problems and Tombstoned Objects
Actually looking at this further you will probably find that the schemas are in sync, i.e. the groupofURLs object class is defined across all of the servers. I say that because the error you would have gotten if it did not exist on the target would have been either schema mismatch or ERROR_DS_OBJ_CLASS_NOT_DEFINED. So what I suspect is that groupofURLs is not defined properly or is being referenced incorrectly. Can you dump the schema entry for this class from one of your servers snd post it? Also if you have the LDIF file that was used to update the schema that includes the definition of this object class that would be great as well. What I do not understand is how you have an object defined this way as I would have expected us to block creation of the object if this class is not defined/referenced properly. Any information on how the schema was modified and how these objects were created would be helpful. The fix will likely be to remove the groupofurls objectclass from the object but you need to determine how you got to this point so that it does not occur again. Thanks, -Steve From: [EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Saturday, September 23, 2006 2:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Ben, It would appear that the schema was modified on the source servers but does not match on the destination servers. I am not aware of a default objectclass called groupofURLs. Is this something that you modified recently? Can you dump the definition of this objectclass from a schema on the source and verify that the schema on the target does not match? Can you also send me a repadmin /showreps /v from a source and target. It would appear that you have a schema modification gone bad. Can you also search and see if you have any other objects on the source DC that have that objectclass listed? Thanks, -Steve From: [EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Saturday, September 23, 2006 2:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Hi Steve, First off, thanks for all your help, you are always incredibly helpful. Here’s the output you requested from the source server. dn:CN=InfowebAccess\0ADEL:e988-616b-4944-bbe1-c8265cf4cc89,CN=Deleted Objects,DC=appsig,DC=com objectClass: top objectClass: groupOfURLs objectClass: group I should note though that this object NEVER replicated to other sites. So the only output I can give you is from the source DC. At least on the surface, this object seems to be the source of the replication issues. Thanks again, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Friday, September 22, 2006 11:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Can you dump the objectclass attribute on the deleted object mentioned in the error on one of the source servers and a destination server? The second error code in the internal error event log seems to indicate that the objectclass is being updated with a value that is not a subclass. C:\tools\err\Errerr 20b4 # for hex 0x20b4 / decimal 8372 : ERROR_DS_OBJ_CLASS_NOT_SUBCLASS winerror.h # The specified class is not a subclass. # 1 matches found for 20b4 Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Saturday, September 23, 2006 1:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Correction, 10 domain controllers in 9 sites. From: WATSON, BEN Sent: Friday, September 22, 2006 10:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects Basic info and troubleshooting I've done to gather symptom information... We are running a single forest, single domain Windows 2000 environment (I know, I know, I'm in the process of getting this ugpraded to Win2k3 R2) with 9 domain controllers and 8 sites. Three of the sites are hub sites, and each hub site has 2 spoke sites. Our main hub site has 2 domain controllers, and all other remote sites have a single domain controller. The replication issues are actually affecting an entire site, unfortunately our main hub site (the one with 2 domain controllers). Oddly enough, it's not Domain Controller specific, the problem is actually site specific, and even more specifically, it's only affecting replication traffic OUTBOUND from the site. Inbound replication traffic works fine as well as replication between the two domain controllers inside the site. At first, I thought the domain controller that was acting as a Bridgehead for our site was having issues, so I forced the other domain controller in the site to be the preferred bridgehead
RE: [ActiveDir] Replication Problems and Tombstoned Objects
You could also turn up additional logging which would give more details as to what the internal error is. I would suggest starting with the following: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics 1. Locate the 5 Replication Events value under the above key. 2. On the Edit menu, click DWORD, type 4, and then click OK. 3. Locate the 9 Internal Processing value under the same key. 4. On the Edit menu, click DWORD, type 1, and then click OK. After you do this post the full event text for the error and any additional replication or internal processing errors. I would expect to get back an Exception value with parameters and an internal id. These can be used to determine what is causing the problem. To answer your original question the tombstoned object will only be removed once the tombstone lifetime is reached and garbage collection has run. I would not recommend changing the tombstone lifetime to correct this as it is forest wide and can lead to more serious problems than you currently have. We should be able to determine the cause of the internal error and correct it without taking such risky and drastic measures. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Friday, September 22, 2006 9:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects What event id are you seeing associate with this error? Vinnie Cardona Systems Administrator Ernest Health, Inc Information Technology Dept 505.798.6472 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, September 22, 2006 6:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Problems and Tombstoned Objects Our forest is currently experiencing some replication issues. The common error we have been receiving has revolved around a single object. To summarize, how do you permanently delete Active Directory objects? More specifically, how do you remove an object that is already tombstoned? Here is why I need to do this, here is the full error... --- Replication error: The directory replication agent (DRA) couldn't update object CN=InfowebAccess,OU=InfowebGroups,DC=appsig,DC=com (GUID e988-616b-4944-bbe1-c8265cf4cc89) on this system with changes which have been received from source server e928ad23-039d-4dbd-b214-f88b4ae54819._msdcs.appsig.com. An error occurred during the application of the changes to the directory database on this system. The error message is: The replication system encountered an internal error. The directory will try to update the object later on the next replication cycle. Synchronization of this server with the source is effectively blocked until the update problem is corrected. If this condition appears to be related to a resource shortage, please stop and restart this Windows Domain Controller. If this condition is an internal error, a database error, or an object relationship or constraint error, manual intervention will be required to correct the database and allow the update to proceed. It is valuable to note that the problem is caused by the fact that the change on the remote system cannot be applied locally. Manually updating the objects on the local system in not recommended. Instead, on the source system (which has the changes already), try to reverse or back out the change. Then, on the next replication cycle, observe whether the change can now be applied locally. The record data is the status code. --- After I deleted this object, I continue to get the same error, except it now references the deleted (tombstoned) object as a roadblock. --- Replication error: The directory replication agent (DRA) couldn't update object CN=InfowebAccess DEL:e988-616b-4944-bbe1-c8265cf4cc89,CN=Deleted Objects,DC=appsig,DC=com (GUID e988-616b-4944-bbe1-c8265cf4cc89) etc... (same as error above) --- What would be the proper method to permanently remove a tombstoned object? If I'm following the error messages, then removing the object permanently should (hopefully) resolve the issues. Thanks, ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD Site replication settings/costs
The following documentation describes this in detail: http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx Read-only and Writable Replicas When computing the replication topology, the KCC must consider whether a replica is writable or read-only. For each potential set of replication partners in the topology, the considerations are as follows: A writable replica can receive updates from a corresponding writable replica. A read-only replica can receive updates from a corresponding writable replica. A read-only replica can receive updates from a corresponding read-only replica. A writable replica cannot receive updates from a corresponding read-only replica. So as Laura states GCs can replicate amongst themselves. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 5:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs No. GCs can replicate partitions thatthey don't own to other GCs. They can't replicate them to DCs for the domains in question, but they *can* replicate their read-only partitions to other GCs. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Wednesday, August 30, 2006 5:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs That shouldbe GCs cannot replicate partitions they don't ownright? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs Is it a GC? If so, then yes, that's to be expected. You may have *thought* that you gave it only one replication partner, but if you're seeing additional connection objects, then it has more than one replication partner. When planning replication, you must be aware of every partition that the DCs in a site are hosting. If you don't want that remote DC to have connection objects from all of those other DCs, you're probably going to need to set up connection objects for preferred DCs for it to use for replication of partition data. If it's a GC, and if you have a GC that is a DC for the same domain in another site, that would be a good choice to set as a replication partner, because they would be able to replicate all of their partitions (GCs can replicate partitions they don't own to other GCs). Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 30, 2006 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs It's a Windows 2000 native domain, we're about 4 upgrades from having all Win2k3 DCs and from what I've read, that should help a lot with replication. Automatic site link bridging isnt enabled, and we have 0 site link bridges. We're a worldwide company with 3 main hubs, but it is a mesh network in design (MPLS). I guess i'm mainly confused because the DC at the slow bandwidth site in question only has one replication partner, yet we see connections to it from a large number of our DCs on a regular basis. Is this normal? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs Intervals vary by company, domain structure, network topology and latency tolerances. That said, there is nothing inherently wrong with the replication parameters you list below. Are they the best parameters for your environment? That depends. Is this a Windows 2000 environment? Is automatic site link bridging enabled? There's a lot to consider in determining how to set site link properties; what you've listed below won't really be enough for anybody to give you any kind of realistic advice. (sorry) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 30, 2006 11:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site replication settings/costs We have about 80 AD sites with DCs. All sites are set for a cost of 100 on the site to site replication, and a replication interval of 15 minutes. I'm presuming this is probably not a good thing. One slow bandwidth site is complaining that their DC is talking to every DC in the domain. What is everyone else using as a replication interval for inter-site replication? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating
RE: [ActiveDir] AD Site replication settings/costs
One more thing to add. If you want to see why we are building the topology the way we are you can use ADLB in verbose reporting mode and it will help you determine why the selections were made. You can of course download ADLB from microsoft.com. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, August 30, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs The following documentation describes this in detail: http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx Read-only and Writable Replicas When computing the replication topology, the KCC must consider whether a replica is writable or read-only. For each potential set of replication partners in the topology, the considerations are as follows: A writable replica can receive updates from a corresponding writable replica. A read-only replica can receive updates from a corresponding writable replica. A read-only replica can receive updates from a corresponding read-only replica. A writable replica cannot receive updates from a corresponding read-only replica. So as Laura states GCs can replicate amongst themselves. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 5:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs No. GCs can replicate partitions thatthey don't own to other GCs. They can't replicate them to DCs for the domains in question, but they *can* replicate their read-only partitions to other GCs. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Wednesday, August 30, 2006 5:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs That shouldbe GCs cannot replicate partitions they don't ownright? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs Is it a GC? If so, then yes, that's to be expected. You may have *thought* that you gave it only one replication partner, but if you're seeing additional connection objects, then it has more than one replication partner. When planning replication, you must be aware of every partition that the DCs in a site are hosting. If you don't want that remote DC to have connection objects from all of those other DCs, you're probably going to need to set up connection objects for preferred DCs for it to use for replication of partition data. If it's a GC, and if you have a GC that is a DC for the same domain in another site, that would be a good choice to set as a replication partner, because they would be able to replicate all of their partitions (GCs can replicate partitions they don't own to other GCs). Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 30, 2006 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs It's a Windows 2000 native domain, we're about 4 upgrades from having all Win2k3 DCs and from what I've read, that should help a lot with replication. Automatic site link bridging isnt enabled, and we have 0 site link bridges. We're a worldwide company with 3 main hubs, but it is a mesh network in design (MPLS). I guess i'm mainly confused because the DC at the slow bandwidth site in question only has one replication partner, yet we see connections to it from a large number of our DCs on a regular basis. Is this normal? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 30, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site replication settings/costs Intervals vary by company, domain structure, network topology and latency tolerances. That said, there is nothing inherently wrong with the replication parameters you list below. Are they the best parameters for your environment? That depends. Is this a Windows 2000 environment? Is automatic site link bridging enabled? There's a lot to consider in determining how to set site link properties; what you've listed below won't really be enough for anybody to give you any kind of realistic advice. (sorry) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, August 30, 2006 11:59 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site replication settings/costs We have about 80 AD sites with DCs. All sites are set
RE: [ActiveDir] nslookup. AD beginer question
There was a bug in Windows XP where netlogon would register SRV records which are documented here: http://support.microsoft.com/kb/825675/en-us . That is the only time I have seen that. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Monday, August 28, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question You should get back your domain controllers IP addresses. Is it possible that your users computer has gotten the IP of an old DC? Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Monday, August 28, 2006 3:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question Thanks, but after reading all that I still was not able to find out what kind of information do you get when you do lookup domain.com, being domain.com your AD domain, and why am I getting a users computer. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, August 28, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question http://www.cni.org/pub/inetroom/nslookup.html http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Mon 8/28/2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
RE: [ActiveDir] Server Performance Advisor
The tracing code still fires even if the data is cached, i.e. an LDAP request is still made. What I believe you are seeing is the report compiler summarizing the results. You can change to expert level to 10 which will cause the report to have all entries in it. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, August 24, 2006 10:23 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Server Performance Advisor Hi all I've been looking at SPA and have been trying to get it to report all LDAP searches. I've managed to get it to report searches, but the results are inconsistent. For example, if I kick off the performance capture and then run an LDAP search that exceeds the configured warning levels I will see something like this in the AD.XML file: item level=1 data name=Client192.168.102.11/data data name=Choicedeep/data data name=ObjDndc=colours,.../data data name=FilterSAM Account Name with multiple AND parts and wildcards/data data name=Indexidx_samaccountname/data data name=DsSimpleStatusSuccess/data data name=ObjVisited warning=adTopObjectVisited900/data data name=ObjReturned warning=adTooManyObjectReturned900/data data name=requestRate0.02/data data name=responseTime103/data data name=cpu0.22/data /item If I run a subsequent capture, using the same (or similar) search criteria it doesn't log the LDAP search activity in the AD.XML file. I suspect this perhaps has to with the DC caching search criteria, but I'm not sure. Can anyone shed any light on this? Or, put another way, has anyone successfully and consistently captured all LDAP search activity using SPA? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved
Furthermore the current implementation of wldap32 in Windows Server 2003 SP1 does not request that the certificate be verified. This has been changed in a QFE for Windows Server 2003 SP1 and will be addressed in the next service pack for Windows Server 2003, SP2. So you may see a change in behavior going forward at least on the server platform. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 23, 2006 9:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl .msp x#ES3AE Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Wednesday, August 23, 2006 10:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Secure LDAP queries from the outside -- problem solved It actually depends on the policy defined for the SSL stack. In Windows, this is typically configured globally for all SSL, although I'm not sure where. It definiitely used to be the case that Windows that CRLs were never checked, but I have seen some other SSL stuff with HTTP actually checking the CRL on 2K3 servers. It is also possible in SSPI with Schannel to ignore specific conditions, so this could be something that is ignored in the default LDAP SSL routine in Windows, but I doubt it. The callback function for server certificate verification will give you the error code if there is a problem and the client can then deal with it as it sees fit. CRLs can definitely be trouble though. They are by far the most vexing thing to troubleshoot in SSL, and PKI in general. Joe - Original Message - From: Thommes, Michael M. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 23, 2006 8:37 PM Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Hi joe, The CRL location is *not* available from the outside. And since neither adfind, ldp or Outlook Express seemed to care, I am guessing that not many (any?) tools require it. Kinda makes ya wonder why you would have it if it's not used. Sorta like not using the book of bad credit card numbers when someone handed you a credit card! (maybe some of you are old enough to remember this safeguard before there were computers everywhere! LOL!). Mike Thommes From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 8/23/2006 7:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Cool, is the CRL available from the outside at all? I am really curious if that is truly needed from the client when using LDAPS, it doesn't seem to be needed but my testing has been far from perfect in that regard. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 23, 2006 8:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Thanks to all who responded! The problem was solved by installing our local root CA cert on the outside computer since we are rolling our own and not using one of the well known CAs (Trusted Root Certification Authorities). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we don't use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error...but I don't have a cert installed on my DC so I'd expect mine not to work. Robert Williams From: [EMAIL
RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved
Not sure on if it will be configurable I just happened to run across it on something else I was working on and saw the change request. I would imagine that it will not be configurable as the intended behavior was to check the CRL especially since sensitive operations such as password resets are generally going over LDAPS. However someone who is beta testing Windows Server 2003 SP2 as a customer could verify that the change occurred and then provide feedback if it was undesirable. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 23, 2006 10:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Oh this could catch some folks by surprise... Out of curiosity, is it implemented with a turn on this reg key to enable this or will it just occur? I prefer it be something admins turn on, otherwise it will catch people by surprise like the SP1 Service Control Manager ACL. And if it there isn't a reg entry to turn it on, can we have a reg entry to turn it off or do we wait until SP3? :) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, August 23, 2006 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Furthermore the current implementation of wldap32 in Windows Server 2003 SP1 does not request that the certificate be verified. This has been changed in a QFE for Windows Server 2003 SP1 and will be addressed in the next service pack for Windows Server 2003, SP2. So you may see a change in behavior going forward at least on the server platform. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 23, 2006 9:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl .msp x#ES3AE Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Wednesday, August 23, 2006 10:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Secure LDAP queries from the outside -- problem solved It actually depends on the policy defined for the SSL stack. In Windows, this is typically configured globally for all SSL, although I'm not sure where. It definiitely used to be the case that Windows that CRLs were never checked, but I have seen some other SSL stuff with HTTP actually checking the CRL on 2K3 servers. It is also possible in SSPI with Schannel to ignore specific conditions, so this could be something that is ignored in the default LDAP SSL routine in Windows, but I doubt it. The callback function for server certificate verification will give you the error code if there is a problem and the client can then deal with it as it sees fit. CRLs can definitely be trouble though. They are by far the most vexing thing to troubleshoot in SSL, and PKI in general. Joe - Original Message - From: Thommes, Michael M. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 23, 2006 8:37 PM Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Hi joe, The CRL location is *not* available from the outside. And since neither adfind, ldp or Outlook Express seemed to care, I am guessing that not many (any?) tools require it. Kinda makes ya wonder why you would have it if it's not used. Sorta like not using the book of bad credit card numbers when someone handed you a credit card! (maybe some of you are old enough to remember this safeguard before there were computers everywhere! LOL!). Mike Thommes From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 8/23/2006 7:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Cool, is the CRL available from the outside at all? I am really curious if that is truly needed from the client when using LDAPS, it doesn't seem to be needed but my testing has been far from perfect in that regard. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 23, 2006 8:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir
RE: [ActiveDir] Password resets
The two products are actually quite different especially since one relies on the sampling frequency of a phone versus any microphone an end user may have. Anyway the story you reference below actually has a much more interesting background and the developer responsible for the issue blogged about it here: http://blogs.msdn.com/larryosterman/archive/2006/07/31/684327.aspx. It is always interesting to see how software bugs manifest themselves in real life. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Friday, August 11, 2006 7:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password resets Heheh... had this come in on Silicon's round-up of the week :) snip And finally, Microsoft - everybody's favourite love-hate tech titan - has been up to its old tricks of late with a botched live demo of new voice recognition software, which will be included in its Vista launch, in front of media and analysts at its Redmond headquarters. A Microsoft employee bravely took to the stage, no doubt with the same kind of trepidation felt by the world's first parachute jumper or the person who discovered 'yes, you can eat snails'. Dear mom comma, he began speaking purposefully into a headset microphone positioned just a few millimetres from his lips with all the pace and clarity of an English tourist trying to order Two... pints... of... lager... please... in a foreign country. At which point Dear aunt, appeared on the big screen for all to see, followed by some much-to-be-expected chortling from the audience who no doubt fear the day a Microsoft demo runs smoothly. Fix aunt, said the slightly embarrassed Microsoft man. Dear aunt, let's set, read the screen. Delete that, delete that, delete that... he said. Dear aunt, let's set so, said the big screen. I think it's picking up a bit of an echo, he told the guffawing audience. Delete, select all, he added. Dear aunt, let's set so double the killer delete select all, came the response on the screen. By which point the audience was laughing so hard the Round-Up suspected an accident of a toilet nature may befall at least a few of its members. I'm glad you're enjoying this, offered the Microsoft man, realising he may have seen his demonstration go horrendously wrong but he'd at least made them laugh and doubtless left them eager for more. The comedy could only have been heightened if at that point Mr Clippy announced his return by popping up and saying: It looks like you're writing a letter. Or perhaps even: It looks like you're making a right old balls up of this my friend. However, it seems the problem may have been down to some background noise at the demonstration and not - the Round-Up repeats 'not', you understand - any crappy software. snip- BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: 11 August 2006 03:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password resets Well all I can say is that we have several partners that have built password and pin reset capabilities on top of Microsoft Speech Server 2004 and have customers that are very satisfied with them: http://www.microsoft.com/speech/solutions/password/default.mspx . It is something that I get asked about a lot and was a requested feature for the password reset capabilities that are being planned for Active Directory. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, August 10, 2006 7:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password resets Love that movie. (Sneakers with Robert Redford) I'd like world peace We're the government, we don't do that kind of thing! As an off topicif you get the Director's edition you get the info about how the code speech done by the character Gunther was actually augmented and reviewed by the guy who is the A in RSA. (okay okay I need a life, I know...) Passwords are one of the most challenging aspects of security and networks because they impact so closely with the human element. There is studies on how brains process numbers and how much we can remember. Amazon.com: Perfect Passwords: Selection, Protection, Authentication: Books: Mark Burnett,Dave Kleiman: http://www.amazon.com/gp/product/1597490415/sr=8-2/qid=1155257055/ref=pd _bbs_2/103-7791739-9887065?ie=UTF8 This one has a chapter on passwords: Amazon.com: Protect Your Windows Network: From Perimeter to Data (Microsoft Technology): Books: Jesper M. Johansson,Steve
RE: [ActiveDir] memberOf and member link breaking
How long ago did you remove the user? Phantom cleanup can take a while. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven Sent: Friday, August 11, 2006 8:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] memberOf and member link breaking Thanks for the article Tomasz. After reading it a few times I took a look at our IM role holder and it isn't a GC in either domain. Would the problem that I am experiencing suggest that there is something wrong with the infrastructure master in either domain (where the user or where the group reside)? -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Friday, August 11, 2006 9:25 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] memberOf and member link breaking Presley, Steven wrote: I have seen this a few times now (Windows 2003 Sp1) where someone will remove a user from a distribution group and it will update the memberOf attribute of the user, but not the member attribute of the group. The user object is in a different domain then the group if that matters. It yes, it matters: http://support.microsoft.com/?id=248047 -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution
Microsoft provides several options for scanning your machines for security patches which can be found here: http://www.microsoft.com/technet/security/tools/default.mspx Take a look at the section Security Update Detection Solutions and find the one that best meets your environment. There are of course many other third party tools as well. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Friday, August 11, 2006 10:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution Thanks John this is really helpful, though only for this vulnerability. Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Friday, August 11, 2006 11:22 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution For MS06-040 you can use the tool from eeye.com to ID vulnerable machines: http://www.eeye.com/html/resources/downloads/audits/NetApi.html Alex Alborzfard wrote: What about MS06-040? I've heard it's a nasty one like blaster. DHS has already issued a recommendation to apply this patch. I remember using a utility tool that would list all applied patches on a Windows box with all kind of information. Anyone has ever used or knows anything about it? Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, August 08, 2006 1:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution One of 12 today...but since it's DNS related Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683): http://www.microsoft.com/technet/security/Bulletin/MS06-041.mspx For an attack to be successful the attacker would either have to be on a subnet between the host and the DNS server or force the target host to make a DNS request to receive a specially crafted record response from an attacking server. (and Brett...just a FYI... in my twig forest... any attacker that ends up on a subnet between a host and my DNS server [aka the Kitchen sink service server] ... that attacker is dead meat and has a 2x4 aimed his way... one advantage of being little) Your patch folks may be calling up you AD guys for testing passes. Workarounds: *Block DNS related records at network gateways* Blocking the following DNS record types at network gateways will help protect the affected system from attempts to exploit this vulnerability. * ATMA * TXT * X25 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Password resets
Well all I can say is that we have several partners that have built password and pin reset capabilities on top of Microsoft Speech Server 2004 and have customers that are very satisfied with them: http://www.microsoft.com/speech/solutions/password/default.mspx . It is something that I get asked about a lot and was a requested feature for the password reset capabilities that are being planned for Active Directory. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, August 10, 2006 7:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password resets Love that movie. (Sneakers with Robert Redford) I'd like world peace We're the government, we don't do that kind of thing! As an off topicif you get the Director's edition you get the info about how the code speech done by the character Gunther was actually augmented and reviewed by the guy who is the A in RSA. (okay okay I need a life, I know...) Passwords are one of the most challenging aspects of security and networks because they impact so closely with the human element. There is studies on how brains process numbers and how much we can remember. Amazon.com: Perfect Passwords: Selection, Protection, Authentication: Books: Mark Burnett,Dave Kleiman: http://www.amazon.com/gp/product/1597490415/sr=8-2/qid=1155257055/ref=pd _bbs_2/103-7791739-9887065?ie=UTF8 This one has a chapter on passwords: Amazon.com: Protect Your Windows Network: From Perimeter to Data (Microsoft Technology): Books: Jesper M. Johansson,Steve Riley: http://www.amazon.com/gp/product/0321336437/sr=1-1/qid=1155257102/ref=pd _bbs_1/103-7791739-9887065?ie=UTF8s=books The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3: Security Management - October 2004: http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3: http://www.microsoft.com/technet/security/secnews/articles/itproviewpoin t100504.mspx The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3 -- TechNet Column - Security Management - December 2004: http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx David Adner wrote: Wait, I've seen this one before. My voice is my passport; verify me. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Figueroa, Johnny *Sent:* Thursday, August 10, 2006 4:55 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Password resets There is talk about using a home grown speech recognition system to reset a user's password. You would need to enroll, the system would record your voice and if you ever wanted to reset your password, it would ask you to repeat a word of its choice. The system would use a service account with the ability to reset passwords and turn on the option to force the user to reset the password at logon. I am just sending this out to get some feedback. I would have a challenge trying to exclude certain groups from being able to do this, like IT folks with elevated credentials. Unfortunately those IT folks are in the same OU as the users that want this functionality. Thoughts on any part of this? Thanks Johnny Figueroa Supervisor Network Operations Support Network Services Banner Health Voice (602) 747-4195 Fax (602) 747-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] LDAP query struggle
Title: [ActiveDir] LDAP query struggle Also insure you are putting the full DN of the user that you are searching for in publicDelegates= since that is a linked attribute. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, August 01, 2006 3:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP query struggle instead of (objectCategory=user) use (objectCategory=person)(objectClass=user) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Gordon Pegue Sent: Tue 2006-08-01 22:18 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP query struggle I'd like to create an LDAP query to return a list of users that have the Send on behalf field populated in the Exchange General / Delivery Options properties in ADUC. I cannot seems to make sense of the syntax of the query... ((objectCategory=user)(publicDelegates=user I'm searching for)) Is there something I'm missing or can someone provide the correct query format to do what I need? Thanks Gordon Pegue List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Can I add an index in AD using an LDIF file?
For the last one does including the following in the LDIF file when adding or
updating the attribute not accomplish what you want?
searchFlags: 1
Thanks,
-Steve
From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Fri 7/28/2006 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Can I add an index in AD using an LDIF file?
I realise I could do this via the UI but I want to create a single LDIF which
will:
* Add new attributes
* Make new attributes available to User class
* Add new indexes
The last point evades me so far and the RFC appears to indicate that this is
not supported(?)
Any ideas?
neil
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DNS Issue
This is similar to the problem that we had seen before with caching and TTLs and I believe may be addressed by this fix: http://support.microsoft.com/kb/903720/en-us. You could confirm it by disabling the cache but your performance will suffer. It has been a while since I actually looked at this type of failure but I believe we worked around the issue temporarily by using stub zones. Since it looks like a possible issue with caching and TTL I would consider opening a case with Product Support Services (PSS) to get to the bottom of it. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: Monday, July 24, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Issue Hi Steve Interesting findings. Firstly, yes I am clearing the DNS Cache and not doing ipconfig /flushdns on the DC. I have shown the d2 output below but also see the following: 1. Clear the DNS cache on DC 2. Submit query for server1.nyc.test.com - success 3. Explicitly delete the record for above host from the cache leaving the nyc parent folder in cache. 4. Submit query for server1.nyc.test.com - fail 5. Delete nyc parent folder 6. Submit query for server1.nyc.test.com - success So what I think is happening is when the TTL for the cached record expires it gets deleted (as per the manual deletion above) then subsequent queries fail. Note that the DNS server for test.com are QIP based - may have a bearing? server1.nyc.test.com Server: dns1.int.mycorp.com Address: x.x.x.x SendRequest(), len 62 HEADER: opcode = QUERY, id = 15, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: server1.nyc.test.com.int.mycorp.com, type = A, class = IN Got answer (135 bytes): HEADER: opcode = QUERY, id = 15, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: server1.nyc.test.com.int.mycorp.com, type = A, class = IN AUTHORITY RECORDS: - int.mycorp.com type = SOA, class = IN, dlen = 47 ttl = 3600 (1 hour) primary name server = dns1.int.mycorp.com responsible mail addr = hostmaster.int.mycorp.com serial = 54966 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) SendRequest(), len 55 HEADER: opcode = QUERY, id = 16, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: server1.nyc.test.com.mycorp.com, type = A, class = IN Got answer (118 bytes): HEADER: opcode = QUERY, id = 16, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: server1.nyc.test.com.mycorp.com, type = A, class = IN AUTHORITY RECORDS: - mycorp.com type = SOA, class = IN, dlen = 44 ttl = 86400 (1 day) primary name server = name.int.com responsible mail addr = postmaster.int.com serial = 2006072002 refresh = 1800 (30 mins) retry = 900 (15 mins) expire = 604800 (7 days) default TTL = 86400 (1 day) SendRequest(), len 47 HEADER: opcode = QUERY, id = 17, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: server1.nyc.test.com, type = A, class = IN Got answer (47 bytes): HEADER: opcode = QUERY, id = 17, rcode = SERVFAIL header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: server1.nyc.test.com, type = A, class = IN *** dns1.int.mycorp.com can't find server1.nyc.test.com: Server failed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: 24 Jul 2006 3:58 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Issue David, A few more questions. When you state you cleared the cache I want to insure this meant clearing the Cache on the DNS Server not the client resolver cache. Also if you open the DNS snap-in in advanced mode and look in the cache do you see a record for nyc.test.com and if so can you provide a screenshot of the entry from the DNS MMC? Finally can you go the DNS server open a cmd prompt and launch
RE: [ActiveDir] DNS Issue
David, A few more questions. When you state you cleared the cache I want to insure this meant clearing the Cache on the DNS Server not the client resolver cache. Also if you open the DNS snap-in in advanced mode and look in the cache do you see a record for nyc.test.com and if so can you provide a screenshot of the entry from the DNS MMC? Finally can you go the DNS server open a cmd prompt and launch nslookup. Type set d2 without the quotes so that you get additional debug output and then type in nyc.test.com and post the output. Why am I asking all of these questions? Well we had a few issues where the DNS servers cache may not correctly cache entries causing the behavior that you are seeing. Sometimes even though you clear the cache if the record is looked up frequently then even clearing the cache will not resolve the issue long enough to see it corrected. I thought that all of these had been addressed by the build that you are running however the output from the above tests should let us see what is going on. Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Wyatt, David Sent: Sat 7/22/2006 7:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Issue Hi Steve Binary version is 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) Clearing the cache does not fix the issue. Thanks David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: 22 Jul 2006 0:56 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Issue What version of the DNS binary are you running and if you clear the cache instead of restart DNS does it resolve the issue? Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Wyatt, David Sent: Fri 7/21/2006 4:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Issue We have a single Windows 2003 SP1 forest/domain. DCs run AD integated zones. We have Forwarders configured for a domain e.g. test.com with 2 IP addresses entered for the DNS servers in test.com. We have seen a strange issue where queries for a host in the sub-domain nyc.test.com fail (even when doing an nslookup directly from the DC). When we restart the DNS service on the DC resolution succeeds for a host in nyc.test.com. After time it appears resolution fails again. Another observation is when (after time) name resolution fails for a host in nyc.test.com and we explicitly add nyc.test.com as another Forwarder and without restarting the DNS service names in nyc.test.com resolves. Remove the forwarding to nyc.test.com and resolution fails! Any ideas? Regards David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Domain Trusts.
I believe that the documentation that you are looking for that describes these transitive trusts and the inability to alter them is contained here: From: http://technet2.microsoft.com/WindowsServer/en/library/f5c70774-25cd-4481-8b7a-3d65c86e69b11033.mspx Automatic Trusts By default, two-way transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain by using the Active Directory Installation Wizard. The two default trust types are parent-child trusts and tree-root trusts. Parent-child trust A parent-child trust relationship is established whenever a new domain is created in a tree. The Active Directory installation process automatically creates a trust relationship between the new domain and the domain that immediately precedes it in the namespace hierarchy (for example, corp.tailspintoys.com is created as the child of tailspintoys.com). The parent-child trust relationship has the following characteristics: *It can exist only between two domains in the same tree and namespace. *The parent domain is always trusted by the child domain. *It must be transitive and two-way. The bidirectional nature of transitive trust relationships allows the global directory information in Active Directory to replicate throughout the hierarchy. Tree-root trust A tree-root trust is established when you add a new domain tree to a forest. The Active Directory installation process automatically creates a trust relationship between the domain you are creating (the new tree root) and the forest root domain. A tree-root trust relationship has the following restrictions: *It can be established only between the roots of two trees in the same forest. *It must be transitive and two-way. Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Matt Hargraves Sent: Sun 7/23/2006 10:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Trusts. Basically we're looking at creating a resource domain because the objects that need to go in that domain really do need to get out of our current user environment. But if you can't move items into a forest without having an automatic 2-way transitive trust, then we might need to just go with a separate forest. We're looking at other options internally and it's possible that we may not need security isolation for these other domains. Time will tell. You've all been very helpful, thank you. Hopefully MS will state in their documentation at some point in time that these trusts can't be altered so that other people don't have to go I know it's automatically created when I create the object, but what can I do with the trust any more :) On 7/22/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: you might want to describe to us what your actual goal is for creating a non-fully trusted domain in your AD forst. Maybe you can reach a similar goal by using the fairly powerful capabilities in AD to delegate administration of objects within a domain. You can also use these features to hide specific parts of AD from the rest of the organization and thus create a semi-isolated units within a single AD domain. Note that there is no way to fully isolate any objects within a domain or forest from domain or enterprise admins - if you do need full administrative isolation, you have to create multiple forests. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Saturday, July 22, 2006 12:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Trusts. 1-yep 2-yep Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (Tel : +31-(0)40-29.57.777 (Mobile : +31-(0)6-26.26.62.80 http://26.26.62.80/ * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Matt Hargraves Sent: Sat 2006-07-22 00:35 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Trusts. So basically there's no way to have a domain in a forest that doesn't fully trust every other domain in the forest? The only way to have a non 2-way trust is to make a separate forest? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DNS Issue
What version of the DNS binary are you running and if you clear the cache instead of restart DNS does it resolve the issue? Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Wyatt, David Sent: Fri 7/21/2006 4:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Issue We have a single Windows 2003 SP1 forest/domain. DCs run AD integated zones. We have Forwarders configured for a domain e.g. test.com with 2 IP addresses entered for the DNS servers in test.com. We have seen a strange issue where queries for a host in the sub-domain nyc.test.com fail (even when doing an nslookup directly from the DC). When we restart the DNS service on the DC resolution succeeds for a host in nyc.test.com. After time it appears resolution fails again. Another observation is when (after time) name resolution fails for a host in nyc.test.com and we explicitly add nyc.test.com as another Forwarder and without restarting the DNS service names in nyc.test.com resolves. Remove the forwarding to nyc.test.com and resolution fails! Any ideas? Regards David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Forestprep Failure
Unless something else has extended the schema you should be able to look at the definition in MSDN and find the classes it is used in: http://msdn.microsoft.com/library/default.asp?url=""> in your case you only care about the 2003 classes since that is the version of the schema that you are running. Remember to put these back once you are finished and of course as always test your procedure in a test environment to ensure success in production. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, July 18, 2006 7:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forestprep Failure Hello all, I am at the point where I now have a smooth running Windows 2003 forest and domain with the one exception of the UID attribute which I bypassed thanks to the hidden ADPREP switch Steve informed me of. So I am now attempting to go back and defunct this UID attribute so I can repair it. Unfortunately, I am unable to do so at this point. When attempting to defunct the object through Active Directory Schema, I receive an error stating it cannot be done because, this schema object may be in use as part of the definition of another schema object. When attempting to set the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more informative error,Schema deletion failed: attribute is used in may-contain. How can I find out which attributes have UID as part of the may-contain attribute so I can defunct this attribute? If you might have any further advice for me I would greatly appreciate it. I've been doing my best to study the schema over the past few days thanks to Joe's Active Directory book, however I'll readily admit that advanced searching and filtering are still beyond my grasp at this point. Thanks, ~Ben From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Thu 7/6/2006 10:19 PM To: ActiveDir@mail.activedir.org; Mathieu CHATEAU Subject: RE: [ActiveDir] Forestprep Failure Ben, These errors generally occur when a third party application has extended the schema and it conflicts with the base schema we are trying to put in place. There were many conflicts found during the initial upgrades to Windows Server 2003 which is why additional information was put into adprep to help guide you, in the past it failed with a generic conflict error not telling you what attributes it had issues with. In your case you appear to have a problem with the Attribute Syntax for UID and an OID conflict with roomnumber as well as issinglevalue mismatch with roomnumber. The OID for RoomNumber that you gave below used to be in a sample application that showed how to extend the schema and unfortunately many third party developers took the OID value in the sample code as literal and used it when defining there objects for schema extensions even though they were told to provide a unique OID. The sample code was pulled but there are still many applications out there that used the literal OID value in the sample. Since you are running Windows 2000 you do not have a way to defunct these. Do you know what application is using the information in the roomnumber attribute? I would suggest in a test environment renaming the roomnumber attribute using the following steps: a. Open ldp on the Schema FSMO (make sure you have Checked the option The Schema may be modified on this Domain Controller using the Schema Manager Snap-in). b. From the Connection menu option select Bind. c. Type is the user name, password and domain name (use a schema admin account) and keep (NTLM/Kerberos) checked. Click OK. d. From the View Menu option select Tree and type the following in the field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=.. Click OK e. On the left pane, double click CN=roomNumber... f. Right click on the roomNumber attribute and select Modify g. In the attribute text field add lDAPDisplayName. h. In the Value field give this to OldroomNumber. i. Select the replace radio button. j. Click Enter to add to the Entry List k. Click Run to confirm success in left pane. l. Remove the attribute from the entry list. m. In the attribute text field add adminDisplayName. n. In the Value field type OldRoomNumber o. Select the replace radio button. p. Click Enter to add to the Entry List q. Click Run to confirm success in left pane. r. Right click on CN=roomNumber... And select rename. s. Enter in the old DN field as the current DN of roomNumber. t. Enter the in the new DN field OldroomNumber u. Confirm Delete Old and Synchronous are selected and click Run. v. Exit from ldp. This should allow the roomNumber attribute in the base Windows Server 2003 Schema to be imported. You would of course need to update the third party application to point to the renamed attribute or import the data in the OldRoomNumber attribute to the new RoomNumber attribute and hope that none
RE: [ActiveDir] Forestprep Failure
Also note you could use the schema documentation tool found here: http://msdn.microsoft.com/library/default.asp?url=""> if you feel that you may have a schema extension referring to this attribute as well. Simply look at the containedIn field for UID. Thanks, -Steve From: Steve Linehan Sent: Tuesday, July 18, 2006 10:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forestprep Failure Unless something else has extended the schema you should be able to look at the definition in MSDN and find the classes it is used in: http://msdn.microsoft.com/library/default.asp?url=""> in your case you only care about the 2003 classes since that is the version of the schema that you are running. Remember to put these back once you are finished and of course as always test your procedure in a test environment to ensure success in production. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, July 18, 2006 7:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forestprep Failure Hello all, I am at the point where I now have a smooth running Windows 2003 forest and domain with the one exception of the UID attribute which I bypassed thanks to the hidden ADPREP switch Steve informed me of. So I am now attempting to go back and defunct this UID attribute so I can repair it. Unfortunately, I am unable to do so at this point. When attempting to defunct the object through Active Directory Schema, I receive an error stating it cannot be done because, this schema object may be in use as part of the definition of another schema object. When attempting to set the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more informative error,Schema deletion failed: attribute is used in may-contain. How can I find out which attributes have UID as part of the may-contain attribute so I can defunct this attribute? If you might have any further advice for me I would greatly appreciate it. I've been doing my best to study the schema over the past few days thanks to Joe's Active Directory book, however I'll readily admit that advanced searching and filtering are still beyond my grasp at this point. Thanks, ~Ben From: [EMAIL PROTECTED] on behalf of Steve Linehan Sent: Thu 7/6/2006 10:19 PM To: ActiveDir@mail.activedir.org; Mathieu CHATEAU Subject: RE: [ActiveDir] Forestprep Failure Ben, These errors generally occur when a third party application has extended the schema and it conflicts with the base schema we are trying to put in place. There were many conflicts found during the initial upgrades to Windows Server 2003 which is why additional information was put into adprep to help guide you, in the past it failed with a generic conflict error not telling you what attributes it had issues with. In your case you appear to have a problem with the Attribute Syntax for UID and an OID conflict with roomnumber as well as issinglevalue mismatch with roomnumber. The OID for RoomNumber that you gave below used to be in a sample application that showed how to extend the schema and unfortunately many third party developers took the OID value in the sample code as literal and used it when defining there objects for schema extensions even though they were told to provide a unique OID. The sample code was pulled but there are still many applications out there that used the literal OID value in the sample. Since you are running Windows 2000 you do not have a way to defunct these. Do you know what application is using the information in the roomnumber attribute? I would suggest in a test environment renaming the roomnumber attribute using the following steps: a. Open ldp on the Schema FSMO (make sure you have Checked the option The Schema may be modified on this Domain Controller using the Schema Manager Snap-in). b. From the Connection menu option select Bind. c. Type is the user name, password and domain name (use a schema admin account) and keep (NTLM/Kerberos) checked. Click OK. d. From the View Menu option select Tree and type the following in the field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=.. Click OK e. On the left pane, double click CN=roomNumber... f. Right click on the roomNumber attribute and select Modify g. In the attribute text field add lDAPDisplayName. h. In the Value field give this to OldroomNumber. i. Select the replace radio button. j. Click Enter to add to the Entry List k. Click Run to confirm success in left pane. l. Remove the attribute from the entry list. m. In the attribute text field add adminDisplayName. n. In the Value field type OldRoomNumber o. Select the replace radio button. p. Click Enter to add to the Entry List q. Click Run to confirm success in left pane. r. Right click on CN=roomNumber... And select rename. s. Enter in the old DN field as the current DN of roomNumbe
RE: [ActiveDir] Forest trust - domain drop down list
If the client is modern, Windows XP SP1 or later then you can type domain\username in the username field and it will crack it as well just in case your users do not want to type their UPN or it is to long. :-) Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, July 14, 2006 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trust - domain drop down list Or you could just get users accustomed to using UPNs for logon and avoid the problem. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, July 14, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trust - domain drop down list yes Tony, this is standard behaviour - you'll only see domains that are directly trusted. Trust type doesn't matter. Even though a forest trust will be transitive to all child domains by default, you'll have to use UPN to authenticate to a child domain. Which is another reason why empty placeholder roots don't really make an administrator's life easier... The challenges continue for viewing objects of a trusted child-domain accross a forest trust in the object picker - afaik, it will also just show you the root domain (but you can find objects in the child by searching the GC...) if you put in a normal external trust between your DomB and the DomA2, you'll lose the benefit of kerberos authentication from your forest trust (when choosing DomA2 in the logon window). If that's ok for you, this is a solution, but then you might as well get rid of the forest trust... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Freitag, 14. Juli 2006 05:54 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Forest trust - domain drop down list Here's the scenario Forest trust between ForestA and ForestB. ForestA has two domains DomA1 (placeholder root) and DomA2 ForestB has one domain DomB Users from DomA2 sometimes log into DomB member machines. DomA2 is not shown in the drop-down list of domain names in the login dialog. DomA1 is shown. Users from DomB sometimes log into DomA2 member machines. DomB is not shown in the drop-down list of domain names ni the login dialog. Is it normal behaviour for the drop-down list not to show all the domains with trusts (including those that are transitive via the forest trust)? If so, is there any way to change the behaviour? The users can obviously login using UPN, but they are not used to doing this and there is talk of putting in an explicit domain trust between DomA2 and DomB simply to get around this. Ugh. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always?
I believe I covered most of this on a previous posting to ActiveDir but here are all of the details into what change was made and why: First of all the change that was made requires that an Initial Sync is completed before DNS will load the zones. This change was made after a customer reported a very nasty outage of all DNS records for one of their Domains. Needless to say with no DNS records many things break. So how and why did this happen. It turns out that many things have to come together but the end result is that we Conflict the MicrosoftDNS container, note not the application partition. This can occur do to a timing issue that was first seen when using an Install from Media (IFM) technique across a slow WAN link and of course you are not using the new feature in Windows Server 2003 SP1 that allows sourcing Application Partitions from media. Because Application Partitions have the lowest replication priority it was possible that the machine would register to host the DomainDNSZones application partition but never get a chance to replicate any information in do to it being pre-empted by higher priority Config and Domain partition replication. In that case if the timing was just right it was possible that the DNS server on this box would recreate the MicrosoftDNS container in order to store the root hints. This would of course replicate out and cause a CNF and since last writer wins you would end up with what looked like an empty MicrosoftDNS container, except for the root hints, which looked like corruption to all of the other DNS servers since they had records loaded from there at one point. To keep this from happening a requirement that the DC must perform an initial sync was put in place. This was the safest way to insure that we had replicated the necessary data in before trying to load zones and possibly conflict the MicrosoftDNS container. There were other places where this type of issue could pop up such as how we handle SOAs so the change was made. There is additional work being done in Windows Server Code Name Longhorn to help with this as well as other performance issues of loading large zones which caused slow DNS startup times. I have sent Email to the appropriate component owners so that they can revise if necessary our guidelines on how DNS should be configured for both Windows Server 2003 and the next version of the product. The only thing I would not recommend is removing the initial sync requirements by adding a registry value as this not only has affects on DNS but also the code that is used to insure that we do not have multiple machines believing that they are a particular FSMO owner. Here is the KB for the change that was introduced and rolled into SP1: http://support.microsoft.com/kb/836534/en-us . I have left out some of the hairy details as to exactly why the above happens as well as the customer who initially hit this, they know who they are. J Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, July 14, 2006 12:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? Guido, have you checked this lately? I know there were several changes to that behavior in several revs IIRC. The problems you describe were better than a challenge, as I recall. they had a tenedancy to wreak havoc with integrated dns zones when a dc would come up and create a new zone and then replicate that. There were several fixes related though and that behavior might have changed several times. On 7/14/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: I'd have to do some more digging as to *why* the duplicate app-partitions were created, but I've had to troubleshoot this prior to SP1. This was during a global Win2003 DC rollout - we used the IFM feature to rollout the DCs. But prior to SP1 you couldn't add the application partitions to the dcpromo process (IFM in SP1 now offers an the options to include app partitions during the promotion). During this rollout a couple of DCs actually re-created the DomainDnsZones app-partiontion right after their first reboot, causing some interesting challenges. Agree they should have contacted the DN master - not sure why either they didn't, or why the DN master allowed them to re-create this well-known app-partition. Anyways, to avoid similar issues, SP1 ensures that AD completes the replication with one partner prior to allowing the DNS service to read it's records and to register anything. This is actually similar to the change that was done with either Win2000 SP2 or SP3 to avoid DCs to advertise their GC status prior to finishing a replication cycle with another GC or one DC of every domain in their site. The challenge here is that you get into a race-condition when using the DC itself as the primary DNS server - ofcourse this will still work, but you have to
RE: [ActiveDir] Replication Problem After DC Demotion
Title: Replication Problem After DC Demotion From that machine can you run and post the output of repadmin /showreps /v ? Is the affected server Windows 2000 or Windows Server 2003 and what SP levels? I assume you also did not set any preferred bridgehead settings? You could also use ADLB.exe in report only mode to see the topology. I am guessing that if you let it bake a little more it will correct itself. Also what is the replication interval set on that site link, the minimum 15 minutes? Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Riley, Devin Sent: Thursday, July 13, 2006 7:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication Problem After DC Demotion We just demoted a W2K DC in our primary site. The demotion was successful and the NTDS object associated with the DC was removed from AD Sites Services. In our only other site, the one domain controller is reporting replication problems. Replmon is reporting the following: The DSA Operation is unable to proceed because of a DNS lookup failure. The error code from replmon is 8524 Over an hour has passed. The replication topology is automatic and we have all default settings in regards to replication schedules etc. Any suggestions? Devin
RE: [ActiveDir] Regarding printer configure through web
Depending on your needs and what you are specifically trying to accomplish you may want to look at the Internet Printing Protocol functionality that is built into Windows 2000 and Windows Server 2003: http://www.microsoft.com/windowsserver2003/techinfo/overview/internetprint.mspx Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajay Kumar Sent: Tuesday, July 11, 2006 1:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Regarding printer configure through web Hi Paul, You are right, this is novell product I was not aware of before. Yesterday my friend told me that. Thanks, Sam On 7/10/06, Paul Glenn [EMAIL PROTECTED] wrote: You might look into iPrint for Windows 2003. I know it's a Novell product, but we used it for a few years to allow print acces for our wireless patrons. it was ported over for 2003 in version 3.08 I think. Paul On 7/10/06, Ajay Kumar [EMAIL PROTECTED] wrote: Hi all, Please help me out, How I can configure websiteof printer server. Actually we having 40 printer of different make and having around 1000 user on different location.So pls tell me how I can create website for printer access. Thanks, Sam -- *** I've got a fever and the only prescription is more cowbell.--Christopher Walken ***
RE: [ActiveDir] Forestprep Failure
Ben, These errors generally occur when a third party application has extended the schema and it conflicts with the base schema we are trying to put in place. There were many conflicts found during the initial upgrades to Windows Server 2003 which is why additional information was put into adprep to help guide you, in the past it failed with a generic conflict error not telling you what attributes it had issues with. In your case you appear to have a problem with the Attribute Syntax for UID and an OID conflict with roomnumber as well as issinglevalue mismatch with roomnumber. The OID for RoomNumber that you gave below used to be in a sample application that showed how to extend the schema and unfortunately many third party developers took the OID value in the sample code as literal and used it when defining there objects for schema extensions even though they were told to provide a unique OID. The sample code was pulled but there are still many applications out there that used the literal OID value in the sample. Since you are running Windows 2000 you do not have a way to defunct these. Do you know what application is using the information in the roomnumber attribute? I would suggest in a test environment renaming the roomnumber attribute using the following steps: a. Open ldp on the Schema FSMO (make sure you have Checked the option The Schema may be modified on this Domain Controller using the Schema Manager Snap-in). b. From the Connection menu option select Bind. c. Type is the user name, password and domain name (use a schema admin account) and keep (NTLM/Kerberos) checked. Click OK. d. From the View Menu option select Tree and type the following in the field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=.. Click OK e. On the left pane, double click CN=roomNumber... f. Right click on the roomNumber attribute and select Modify g. In the attribute text field add lDAPDisplayName. h. In the Value field give this to OldroomNumber. i. Select the replace radio button. j. Click Enter to add to the Entry List k. Click Run to confirm success in left pane. l. Remove the attribute from the entry list. m. In the attribute text field add adminDisplayName. n. In the Value field type OldRoomNumber o. Select the replace radio button. p. Click Enter to add to the Entry List q. Click Run to confirm success in left pane. r. Right click on CN=roomNumber... And select rename. s. Enter in the old DN field as the current DN of roomNumber. t. Enter the in the new DN field OldroomNumber u. Confirm Delete Old and Synchronous are selected and click Run. v. Exit from ldp. This should allow the roomNumber attribute in the base Windows Server 2003 Schema to be imported. You would of course need to update the third party application to point to the renamed attribute or import the data in the OldRoomNumber attribute to the new RoomNumber attribute and hope that none of the values were multivalued and that the application was not referring to it by OID. Next you need to address the syntax of the UID attribute. We are expecting the syntax to be String (Unicode) 2.5.5.12 not String (Printable) 2.5.5.5. This problem is tougher as there is not a supported way to change the syntax of an attribute and renaming it will not work since the OID is the one we are expecting, yes there are ways it can be done but it would leave you in an unsupportable state. To fix this issue I would recommend running ADPREP /forestprep /nosyntaxcheck, yes this is a hidden switch and should only be used in cases where one cannot make changes to the conflicting attribute to make it compliant with the base schema also note you must be using ADPREP from SP1 or a QFE that was used to distribute adprep from SP1 to use this switch. You can then upgrade to Windows Server 2003 and after this is successful then take the forest to Windows Server 2003 Forest Functional Level which will allow you to defunct this attribute and fix it to match the expected definition. Note in both cases you may break the third party application that defined these values that are in conflict. I would suggest testing to ensure that the third party application works after making the above changes or that steps are taken to mitigate the loss of functionality in the third party application. I would also suggest opening a case with Microsoft Support if further assistance or issues arise and fully testing before doing any of this in production. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Thursday, July 06, 2006 4:34 PM To: ActiveDir@mail.activedir.org; Mathieu CHATEAU Subject: RE: [ActiveDir] Forestprep Failure To try and answer everyones question all at once At this point, we dont have Exchange running in our test environment, we do have copies of the servers there, but have not re-added them to the domain to bring them up. I dont think that having the actual Exchange servers online should really matter at
RE: [ActiveDir] NTFS ( 16 Exabyte's )
We also made GPT available on x86 with Windows Server 2003 SP1 however it is still not supported for shared disks. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros Sent: Thursday, June 29, 2006 12:01 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NTFS ( 16 Exabyte's ) Hi Steve, Thank you for the reply. I was not aware of a GPT disk on X64. I realize that I two terrabyte volume is large, however the group that I am suporting has a database that is close to 4 terrabytes, and have asked for the largest volume available. Thank you for taking the time to reply, Jose :-) - Original Message - From: Steve Linehan To: ActiveDir@mail.activedir.org Sent: Wednesday, June 28, 2006 7:54 PM Subject: RE: [ActiveDir] NTFS ( 16 Exabyte's ) Jose, This is due to the fact that MBR disks are limited to 2 TB in size. You would need to go to GPT disks to see a larger disk, http://www.microsoft.com/whdc/device/storage/GPT-on-x64.mspx . Unfortunately we do not support GPT disks on cluster servers at this time for the shared disks. As far as corruption we have customers running much larger volumes and the biggest concern is disaster recovery times. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 28, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NTFS ( 16 Exabyte's ) Greetings, Quick question. I just finished building two new 2003 servers running Microsoft Clustering services and presented two 2047 Gigabyte LUNS to each cluster node. However, the OS is only seeing 1.99 Terabytes (Please see my screen capture). I specifically recall from my Microsoft NT 3.51 server class taught by Michael Van Dercreek at Technology Education Centers back in 1996 using official MOC, that NTFS is a 64 bit file system ( 2 to the 64th power = 16 Exabytes ). 16 Exabytes is the largest partition available on NT 3.51, however I do not seem to recall if this has been changed in 2003, since I have only taken a course on Active Directory 2003, Exchange 2003, SQL 2005 and ISA 2004. So why I am only seeing 1.99 TB on a 2.47 TB LUN? Is any one else running a larger LUN size using NTFS? Any issues or corruption of the MFT that I should know about? My apologies in advance for the newbie question ( I really should know this answer ). Sincerely, Jose Medeiros Storage Area Network Systems Engineer MCP+I, MCSE, NT4 MCT 408-765-0437 Direct, 408-449-6621 Cell Anyone who has never made a mistake has never tried anything new. Albert Einstein
RE: [ActiveDir] NTFS ( 16 Exabyte's )
Jose, This is due to the fact that MBR disks are limited to 2 TB in size. You would need to go to GPT disks to see a larger disk, http://www.microsoft.com/whdc/device/storage/GPT-on-x64.mspx . Unfortunately we do not support GPT disks on cluster servers at this time for the shared disks. As far as corruption we have customers running much larger volumes and the biggest concern is disaster recovery times. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 28, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NTFS ( 16 Exabyte's ) Greetings, Quick question. I just finished building two new 2003 servers running Microsoft Clustering services and presented two 2047 Gigabyte LUNS to each cluster node. However the OS is only seeing 1.99 Terabytes (Please see my screen capture). I specifically recall from my Microsoft NT 3.51 server class taught by Michael Van Decreek at Technology Education Centers back in 1996 using official MOC, that NTFS is a 64 bit file system ( 2 to the 64th power = 16 Exabytes ). 16 Exabytes is the largest partition available on NT 3.51, however I do not seem to recall if this has been changed in 2003, since I only took a course on Active Directory 2003, Exchange 2003, SQL 2005 and ISA 2004. So why I am only seeing 1.99 TB on a 2.47 TB LUN? Is any one else running a larger LUN size using NTFS? Any issues or corruption of the MSFT that I should no about? My apologies in advance for the newbie question ( I really should know this answer ). Sincerely, Jose Medeiros Storage Area Network Systems Engineer MCP+I, MCSE, NT4 MCT 408-765-0437 Direct, 408-449-6621 Cell Anyone who has never made a mistake has never tried anything new. Albert Einstein
RE: [ActiveDir] AD LDAP Logging.
I would suggest taking a look at Server Performance Advisor (SPA), assuming these are Windows Server 2003 DCs and using it to collect and analyze the data for the DCs in question. This tool combines performance counters and the tracing data that Joe is referring to which will allow you to get very detailed information on what is occurring. This tool will give you a peak into the new performance and monitoring capabilities that we are adding into the next versions of the OS. It will also give you hints on what we believe the performance problems are. One of these days when I get a chance I will try to write a blog entry on all of the things you can do with SPA. By the way it also collects information for other server roles as well such as IIS giving you tremendous amounts of detail found no where else. Yes event tracing is the future of not only performance monitoring but debugging difficult issues. You can download SPA from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=09115420-8c9d-46b9-a9a5-9bffcd237da2DisplayLang=en Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, June 09, 2006 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD LDAP Logging. Unfortunately the logging is very basic, it will not log LDAP errors from anything I have seen. This is something I have asked for from MSFT as well, very detailed LDAP logging like you can enable with some of the other directories. Usually I hear a response of use event tracing but I haven't gotten had a chance to really dig deep into that yet to see how useful it will be. It depends on the code is displaying error messages bit possibly a query timed out? That could be indicative of a very poor query. By default, if a query goes more than 2 minutes, it will get dropped. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Friday, June 09, 2006 9:42 AM To: ActiveDir@mail.activedir.org Subject: Re : [ActiveDir] AD LDAP Logging. Good point Joe. I will use perfmon to monitor the health of my DC. An nother question. The Web app timed out with thisgeneric error the serveur is down, where the server = mydc. At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server. With the Field Engineeringset to5 andifthe web apptimed-out, willa LDAP error appear in my eventlogs that stated a disconnection occured ? Thanks for taking time to reply, Cheers, Yann - Message d'origine De : joe [EMAIL PROTECTED] À : ActiveDir@mail.activedir.org Envoyé le : Vendredi, 9 Juin 2006, 2h25mn 26s Objet: RE: [ActiveDir] AD LDAP Logging. When you change that threshhold you are specifying how expensive you want the query to be before AD reports it. Changing Expensive to 1, according to the docs means that as soon as a query has to look atone or more entries it will be logged. So when you turn down that value, you are telling it to log pretty much everything. That being said, unless you have changed your schema, objectclass isn't indexed and a filter with no indexed attributes is generally considered inefficient unless it is properly scoped. The fact that you are returning 58 of 63 entries means that that isn't too bad, but just the same, I would work on getting the query changed to using an indexed attribute or more likely, because so many apps/scripts screw up around objectclass,indexing objectclass AND getting the query changed. When you see big noticable deltas in how long the same query takes to run, it is usually a couple of things that could be at fault, possibly Eric will pipe in with more. The first is that the DC is tied up with something else and just can't give you the proc time, the other is that it has to go to disk instead of pulling from cache. Either way you should be looking at your perf counters to see how the DC is performing. I tend to really look at disk counters because that is where it often falls down at. Things like disk queue and and number of read ops for the DIT drive (write ops are usually a rounding error except during heavy population periods)are the things I immediately focus on. Just seeing the number of read ops doesn't help, you have to understand your disk architecture because on some systems 500 read ops may be just fine, but on others it could beover what the disk system is capable of sustaining so you start backing up. As a quick rule of thumbI start with the assumptionthat each spindle that is part of the volume gives you 100 IOPS capability. That can be generous so if you are on the edge keep that in mind, but if you are at 20 OPS and you have 8 spindles in a RAID 0+1 it is unlikely disk is your bottleneck[1] and the disk queues should bear that
RE: Re : [ActiveDir] AD LDAP Logging.
Perfomon trace logs will generate the raw binary trace data but it has to be processed. The easiest way to get at this data is to use SPA which will collect the binary trace data and process it into human readable format. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Friday, June 09, 2006 10:09 AM To: ActiveDir@mail.activedir.org Subject: Re : [ActiveDir] AD LDAP Logging. Ok thanks. When you said ..use event tracing ..., do you mean using Perfmon Trace Logs ? - Message d'origine De : joe [EMAIL PROTECTED] À : ActiveDir@mail.activedir.org Envoyé le : Vendredi, 9 Juin 2006, 4h34mn 33s Objet: RE: [ActiveDir] AD LDAP Logging. Unfortunately the logging is very basic, it will not log LDAP errors from anything I have seen. This is something I have asked for from MSFT as well, very detailed LDAP logging like you can enable with some of the other directories. Usually I hear a response of use event tracing but I haven't gotten had a chance to really dig deep into that yet to see how useful it will be. It depends on the code is displaying error messages bit possibly a query timed out? That could be indicative of a very poor query. By default, if a query goes more than 2 minutes, it will get dropped. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Friday, June 09, 2006 9:42 AM To: ActiveDir@mail.activedir.org Subject: Re : [ActiveDir] AD LDAP Logging. Good point Joe. I will use perfmon to monitor the health of my DC. An nother question. The Web app timed out with thisgeneric error the serveur is down, where the server = mydc. At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server. With the Field Engineeringset to5 andifthe web apptimed-out, willa LDAP error appear in my eventlogs that stated a disconnection occured ? Thanks for taking time to reply, Cheers, Yann - Message d'origine De : joe [EMAIL PROTECTED] À : ActiveDir@mail.activedir.org Envoyé le : Vendredi, 9 Juin 2006, 2h25mn 26s Objet: RE: [ActiveDir] AD LDAP Logging. When you change that threshhold you are specifying how expensive you want the query to be before AD reports it. Changing Expensive to 1, according to the docs means that as soon as a query has to look atone or more entries it will be logged. So when you turn down that value, you are telling it to log pretty much everything. That being said, unless you have changed your schema, objectclass isn't indexed and a filter with no indexed attributes is generally considered inefficient unless it is properly scoped. The fact that you are returning 58 of 63 entries means that that isn't too bad, but just the same, I would work on getting the query changed to using an indexed attribute or more likely, because so many apps/scripts screw up around objectclass,indexing objectclass AND getting the query changed. When you see big noticable deltas in how long the same query takes to run, it is usually a couple of things that could be at fault, possibly Eric will pipe in with more. The first is that the DC is tied up with something else and just can't give you the proc time, the other is that it has to go to disk instead of pulling from cache. Either way you should be looking at your perf counters to see how the DC is performing. I tend to really look at disk counters because that is where it often falls down at. Things like disk queue and and number of read ops for the DIT drive (write ops are usually a rounding error except during heavy population periods)are the things I immediately focus on. Just seeing the number of read ops doesn't help, you have to understand your disk architecture because on some systems 500 read ops may be just fine, but on others it could beover what the disk system is capable of sustaining so you start backing up. As a quick rule of thumbI start with the assumptionthat each spindle that is part of the volume gives you 100 IOPS capability. That can be generous so if you are on the edge keep that in mind, but if you are at 20 OPS and you have 8 spindles in a RAID 0+1 it is unlikely disk is your bottleneck[1] and the disk queues should bear that out.Of course I tend to focus on disk because I memory is almost always boosted up there because most people realize how important RAM is but only folks who think about Exchange tend to think about disk and the only guideline I have seen from MSFT recommends 3 RAID-1 sets for anything above several thousand users which I don't feel is very good. Again, as a general rule I would rather see a single RAID 0+1 (or even better if you don't care about faul tolerance a RAID 0) or RAID-5 than 3 RAID-1's. But this is all just recanting a zillion
RE: RE : RE: [ActiveDir] AD LDAP Logging.
It is true that SPA is not localized but I believe the French version will be ok. The problem comes about with the localization of the perfmon data. If you have problems post back and we can try a few work arounds because we are only really interested in the trace data at this point which should not be impacted. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Friday, June 09, 2006 11:31 AM To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] AD LDAP Logging. Thank you for your answer Steve. I will install spa on monday and see if i can log some ldpa activities (errors, connections pb,etc...). Will this version of spa work on a w2k3 sp1 French version ? Regards, Yann Steve Linehan [EMAIL PROTECTED] a écrit: I would suggest taking a look at Server Performance Advisor (SPA), assuming these are Windows Server 2003 DCs and using it to collect and analyze the data for the DCs in question. This tool combines performance counters and the tracing data that Joe is referring to which will allow you to get very detailed information on what is occurring. This tool will give you a peak into the new performance and monitoring capabilities that we are adding into the next versions of the OS. It will also give you hints on what we believe the performance problems are. One of these days when I get a chance I will try to write a blog entry on all of the things you can do with SPA. By the way it also collects information for other server roles as well such as IIS giving you tremendous amounts of detail found no where else. Yes event tracing is the future of not only performance monitoring but debugging difficult issues. You can download SPA from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=09115420-8c9d-46b9-a9a5-9bffcd237da2DisplayLang=en Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, June 09, 2006 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD LDAP Logging. Unfortunately the logging is very basic, it will not log LDAP errors from anything I have seen. This is something I have asked for from MSFT as well, very detailed LDAP logging like you can enable with some of the other directories. Usually I hear a response of use event tracing but I haven't gotten had a chance to really dig deep into that yet to see how useful it will be. It depends on the code is displaying error messages bit possibly a query timed out? That could be indicative of a very poor query. By default, if a query goes more than 2 minutes, it will get dropped. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Friday, June 09, 2006 9:42 AM To: ActiveDir@mail.activedir.org Subject: Re : [ActiveDir] AD LDAP Logging. Good point Joe. I will use perfmon to monitor the health of my DC. An nother question. The Web app timed out with thisgeneric error the serveur is down, where the server = mydc. At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server. With the Field Engineeringset to5 andifthe web apptimed-out, willa LDAP error appear in my eventlogs that stated a disconnection occured ? Thanks for taking time to reply, Cheers, Yann - Message d'origine De : joe [EMAIL PROTECTED] À : ActiveDir@mail.activedir.org Envoyé le : Vendredi, 9 Juin 2006, 2h25mn 26s Objet: RE: [ActiveDir] AD LDAP Logging. When you change that threshhold you are specifying how expensive you want the query to be before AD reports it. Changing Expensive to 1, according to the docs means that as soon as a query has to look atone or more entries it will be logged. So when you turn down that value, you are telling it to log pretty much everything. That being said, unless you have changed your schema, objectclass isn't indexed and a filter with no indexed attributes is generally considered inefficient unless it is properly scoped. The fact that you are returning 58 of 63 entries means that that isn't too bad, but just the same, I would work on getting the query changed to using an indexed attribute or more likely, because so many apps/scripts screw up around objectclass,indexing objectclass AND getting the query changed. When you see big noticable deltas in how long the same query takes to run, it is usually a couple of things that could be at fault, possibly Eric will pipe in with more. The first is that the DC is tied up with something else and just can't give you the proc time, the other
RE: [ActiveDir] Machine Psswd Age
Agreed I have many things that need to go into a blog and that is likely something I will be working on in the near future. I just hate to set one up on technet and then not post, like someone else we know who took forever to get their first post up and happens to open the garage doors on campus. :-) As far as NT 4.0 is concerned I have not debugged or reviewed that code in years but I do not recall it being that much different except for the default time changing to 30 days. As far as netlogon debug logging you want at a minimum NL_MISC. I normally user 0x2000 to get the standard output and 0x2080 and then work up from there on the more verbose logging. Of course it does help to look at the source and see what flag they logged a particular event against but you can get there with trial and error. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Thursday, June 01, 2006 12:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Probably more than you ever wanted to know about machine account password changes. Not at all - my brain sucks that stuff in. To be complete: was it the same with NT4, or was there such a thing as half-time renewal? What's the required level of netlogon-debug-logging? 1 enough? Don't you want to share this info on a blog? It's great, and we could give you credits and avoid typing whenever there's a discussion of that topic. Might be worth to include the imaged-client and reset password on a computer account discussions. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, May 31, 2006 5:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Just to add some additional detail. The machine account password is actually changed every 30 days plus a random offset of up to 24 hours so ~31 days as a maximum by default with Windows 2000 and later OSes. This is done by the netlogon service on the client and there is a scavenger thread that wakes up and performs the reset once this threshold is met. If the it cannot reach a Domain Controller it will go back to sleep and wake up every 15 minutes to try and reset the password. You can see this behavior by turning up netlogon debug logging and see the following output: Success: 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Flag password changed in LsaSecret 05/25 14:48:23 [SESSION] NORTHAMERICA: NlChangePassword: Flag password updated on PDC 05/25 14:48:23 [MISC] NlWksScavenger: Can be called again in 30 days (0x9a7ec800) Failure: 05/16 01:13:24 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/16 01:13:24 [SESSION] NORTHAMERICA: NlSessionSetup: Try Session setup 05/16 01:13:24 [SESSION] NORTHAMERICA: NlDiscoverDc: Start Synchronous Discovery 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlDiscoverDc: Cannot find DC. 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlSessionSetup: Session setup: cannot pick trusted DC 05/16 01:14:05 [MISC] Eventlog: 5719 (1) NORTHAMERICA 0xc05e c05e ^... 05/16 01:14:05 [SESSION] NORTHAMERICA: NlSessionSetup: Session setup Failed 05/16 01:14:05 [MISC] NlWksScavenger: Can be called again in 15 minutes (0xdbba0) Random Offset: 05/25 15:03:22 [MISC] NlWksScavenger: Can be called again in 30 days (0x9d671aca) Since the value is in milliseconds when converting this you will see in the random offset case the value is really ~30.56 days where the one in success is exactly 30 days. Probably more than you ever wanted to know about machine account password changes. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Sunday, May 28, 2006 3:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Hmm - I can not find where I got this information from. The KB about disablePasswordChange has not been updated pretty long (still stated only NT in the early WS2k3 days). The following page even states that the NT4 Workstation changes the password every 3 days, and retries after another 3 days: http://www.microsoft.com/technet/archive/winntas/maintain/ntopt4.mspx?mf r=tr ue However I stand corrected - need to update my brains cache from google more often - to bad brains don't support TTL of websites. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message
RE: [ActiveDir] Machine Psswd Age
Just to add some additional detail. The machine account password is actually changed every 30 days plus a random offset of up to 24 hours so ~31 days as a maximum by default with Windows 2000 and later OSes. This is done by the netlogon service on the client and there is a scavenger thread that wakes up and performs the reset once this threshold is met. If the it cannot reach a Domain Controller it will go back to sleep and wake up every 15 minutes to try and reset the password. You can see this behavior by turning up netlogon debug logging and see the following output: Success: 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Flag password changed in LsaSecret 05/25 14:48:23 [SESSION] NORTHAMERICA: NlChangePassword: Flag password updated on PDC 05/25 14:48:23 [MISC] NlWksScavenger: Can be called again in 30 days (0x9a7ec800) Failure: 05/16 01:13:24 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/16 01:13:24 [SESSION] NORTHAMERICA: NlSessionSetup: Try Session setup 05/16 01:13:24 [SESSION] NORTHAMERICA: NlDiscoverDc: Start Synchronous Discovery 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlDiscoverDc: Cannot find DC. 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlSessionSetup: Session setup: cannot pick trusted DC 05/16 01:14:05 [MISC] Eventlog: 5719 (1) NORTHAMERICA 0xc05e c05e ^... 05/16 01:14:05 [SESSION] NORTHAMERICA: NlSessionSetup: Session setup Failed 05/16 01:14:05 [MISC] NlWksScavenger: Can be called again in 15 minutes (0xdbba0) Random Offset: 05/25 15:03:22 [MISC] NlWksScavenger: Can be called again in 30 days (0x9d671aca) Since the value is in milliseconds when converting this you will see in the random offset case the value is really ~30.56 days where the one in success is exactly 30 days. Probably more than you ever wanted to know about machine account password changes. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Sunday, May 28, 2006 3:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Hmm - I can not find where I got this information from. The KB about disablePasswordChange has not been updated pretty long (still stated only NT in the early WS2k3 days). The following page even states that the NT4 Workstation changes the password every 3 days, and retries after another 3 days: http://www.microsoft.com/technet/archive/winntas/maintain/ntopt4.mspx?mf r=tr ue However I stand corrected - need to update my brains cache from google more often - to bad brains don't support TTL of websites. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 24, 2006 9:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age I agree with Bob. Seven days pre-W2K, 30 days for W2K and better. I have never seen a machine change its password at the 50% age and I have looked at this quite a bit for various[1] reasons. joe [1] OldCmp being one of them... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, May 24, 2006 3:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age The default was 7 days for NT, increased to 30 in W2K and above. See http://support.microsoft.com/kb/154501/ or q175468 or any of the old domain sizing docs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, May 24, 2006 11:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age AFAIK the password change interval is set to 30 in XP (15 in NT, W2k), but the computer accounts starts to request renewal after 50% of the time is over. After 30 days it'll change it if being logged onto the domain for sure (unless otherwise configured or connected). Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 9-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Wednesday, May 24, 2006 5:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Machine Psswd Age Anyone know how often machine passwords are renew/reset in the domain? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] How To Determine What GC a Server is Using?
Actually the article should probably be updated to use the built-in tasklist tool since it is targeted as Windows Server 2003. The only nice thing about the event log is that it gives you a historic record and if he is loosing connections to the GCs it will mark them as bad so if he can not get to the machine quick enough to get the netstat output he would have a historic record that the list of viable GCs changed. If this corresponds to his outage it would give him a good idea of which GC it was. That being said yes I wish that regtrace was documented more but I like Joe am a directory guy and only dabble in Exchange when someone points the finger at the directory. I will pass the comments on to the Exchange support and dev teams but I do believe part of this is being addressed in the next version of the product. I know I know the dreaded next version cop out. :-) Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Fri 5/26/2006 8:12 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How To Determine What GC a Server is Using? I might point out that in that KB there should be a link to tlist for download. You know, just to make sure it's on the machine in question. I suspect there's also not a lot of reason to read the event log first when netstat -ao would be able to tell you which servers (2003 expected) the Exchange server is talking to on GC ports. Piping it to something like FIND or GREP would further reduce the information domain. Contact PSS for interpretation? Can't there be a DCR to make that better and the user more self-sufficient? :) BGINFO is not something to rely on for Exchange troubleshooting. I know it was assumed in the post, but BGINFO while a great and useful tool, is going to talk about the session information which may or may not be the same as what Exchange is using. It would be coincidence if it was the same. Mostly. -ajm On 5/25/06, Steve Linehan [EMAIL PROTECTED] wrote: The following method will show you what GCs Exchange has discovered and believes are viable servers: http://support.microsoft.com/kb/316300/en-us . While this will not tell you the exact GC Exchange is using, it could be using multiple GCs, it will help you narrow down the list. You could then use a network capture or look at netstat -ao, assuming Windows 2003, which will list the current connections and the process ID that owns them. If this still does not help you track it down you can enable Regtrace and have PSS help interpret the output. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Thursday, May 25, 2006 10:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How To Determine What GC a Server is Using? To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How To Determine What GC a Server is Using? I got 'mad.exe' results, but not those specific port numbers. Would the port number be different for all servers? From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Tony Murray Sent: Thursday, May 25, 2006 7:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How To Determine What GC a Server is Using? How about netstat -b ? Look for mad.exe connecting to port 3268 (or 3269 for SSL). Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Friday, 26 May 2006 1:13 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How To Determine What GC a Server is Using? Isn't the 'Login Server' the same as the Domain Controller? If I do a 'set.exe' from a command prompt, I get the same info as LOGONSERVER. What I need specifically, is the Global Catalog server (unless I'm going about this incorrectly). From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Blair, James Sent: Thursday, May 25, 2006 5:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How To Determine What GC a Server is Using? Stu, Download and configure BGINFO and check to Login Server attribute... http://www.sysinternals.com/Utilities/BgInfo.html James Blair From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Friday, 26 May 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How To Determine What GC a Server is Using? We have a strange situation here where one of our Exchange servers keeps getting 8026 and 2102 errors. This causes our users on that Exchange server to temporarily lose connection to the Exchange server. Also, my Unity server just failed
RE: [ActiveDir] How To Determine What GC a Server is Using?
Title: How To Determine What GC a Server is Using? The following method will show you what GCs Exchange has discovered and believes are viable servers: http://support.microsoft.com/kb/316300/en-us . While this will not tell you the exact GC Exchange is using, it could be using multiple GCs, it will help you narrow down the list. You could then use a network capture or look at netstat ao, assuming Windows 2003, which will list the current connections and the process ID that owns them. If this still does not help you track it down you can enable Regtrace and have PSS help interpret the output. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Thursday, May 25, 2006 10:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How To Determine What GC a Server is Using? I got 'mad.exe' results, but not those specific port numbers. Would the port number be different for all servers? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, May 25, 2006 7:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How To Determine What GC a Server is Using? How about netstat b ? Look for mad.exe connecting to port 3268 (or 3269 for SSL). Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Friday, 26 May 2006 1:13 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How To Determine What GC a Server is Using? Isn't the 'Login Server' the same as the Domain Controller? If I doa 'set.exe' from a command prompt, I get the same info as LOGONSERVER. What I need specifically, is the Global Catalog server (unless I'm going about this incorrectly). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: Thursday, May 25, 2006 5:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How To Determine What GC a Server is Using? Stu, Download and configure BGINFO and check to Login Server attribute... http://www.sysinternals.com/Utilities/BgInfo.html James Blair From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Friday, 26 May 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How To Determine What GC a Server is Using? We have a strange situation here where one of our Exchange servers keeps getting 8026 and 2102 errors. This causes our users on that Exchange server to temporarily lose connection to the Exchange server. Also, my Unity server just failed over to the secondary Unity server at exactly the same time my last Exchange 8026 error happened. This leads me to believe I may have a problem with a global catalog server. Is there a way to determine what GC each server is using? Thanks in advance. This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] Primary or Integrated DNS Zone
Take a look at the following Knowledge Base article and online help that covers all of the scenarios below: http://support.microsoft.com/kb/816592 http://technet2.microsoft.com/WindowsServer/en/Library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true . Your Linux clients can be thought of as legacy clients, i.e. those that do not support option 81. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Milton Sancho Sent: Thursday, May 25, 2006 11:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Primary or Integrated DNS Zone I am going to install a Win2003 it will be a domain controller. I am going to install DNS Server Service and DHCP Server Service but this scenario will be for: Provide DNS for 5 Win servers ansd several Xp clients. (Dns dynamic Updates) At the same timne the DHCP server should provide ip addresses for 100 Linux client computers. -Those computers are not going to update automatically to the DNS ... once the DHCP provide them an IP Address. Do I have to configure a Primary Zone instead of active directory integrated zones ? Do I have to create manually name mapping for Linux Pc's ? I am not sure how the Dhcp - DNS will behave once the ip address is released to the Linux client? Thanks comments
RE: [ActiveDir] GPResult incorrectly reporting DC's security groups?
The This Organization security principal is used for selective authentication. More details on this can be found here: http://technet2.microsoft.com/WindowsServer/en/Library/1f33e9a1-c3c5-431 c-a5cc-c3c2bd579ff11033.mspx Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, May 04, 2006 9:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPResult incorrectly reporting DC's security groups? Have you any idea what the this organization thing is? I noticed that when I went and did gpresult on one of mine in reference to this thread. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 04, 2006 9:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPResult incorrectly reporting DC's security groups? That is odd. Here is what one of my DCs shows BUILTIN\Administrators Everyone BUILTIN\Users Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users This Organization ServerName$ Domain Controllers NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS The first thing I would do is look at that DC directly to make sure it has all the proper values on itself. If it does, then I would use gpresult and ethereal and get a trace just to make sure that it is using the info on the local machine. You can even set up the gateway values so that you could see the traffic locally but mostly you just want to see if the queries are going off the box and you don't need to change any IP config to capture that, just watch the traffic for all LDAP packets. If it is going off the box for the info, go look at the DC it is querying and find out what is dorked up. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ali Cain Sent: Tuesday, May 02, 2006 5:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPResult incorrectly reporting DC's security groups? I am currently looking at a forest which had some issues after DCPromo'ing some of the DCs, most of the problems appear to be resolved. However, a few of the DCs (Windows 2003 SP1) have a rather odd entry in GPResult (and GPMC) output : The computer is a part of the following security groups --- BUILTIN\Administrators Everyone BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users This Organization computeraccountname$ Domain Computers So it is reporting to be a member of Domain Computers, when it should not be. More concerning is that it is not reporting as being a member of the following groups : BUILTIN\Pre-Windows 2000 Compatible Access Windows Authorization Access Group Domain Controllers NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Via Active Directory Users and Computers, group membership appears correct. Looking at the attributes of the DC's computer account, it can be seen that the primaryGroupID is 516 (Domain Controllers). I have had a good look over the DC and can not see sign of any other problems and the DC is being used by clients without issues. Does anyone have any suggestions as to why the group membership appears incorrect? Or how else to interrogate the computer's token? Also, something I have not noticed before : looking at the attributes of a DC's computer account via LDP, Domain Controllers is not listed in memberOf. Is that expected behaviour and if so why? Many thanks, Ali. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] dealing with authentication errors after password change?
You can enable password history of at least 3 and then we will not increment the bad password count in those instances. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog ies/security/bpactlck.mspx Password history check (N-2): Before a Windows Server 2003 operating system increments badPwdCount, it checks the invalid password against the password history. If the password is the same as one of the last two entries that are in the password history, badPwdCount is not incremented for both NTLM and the Kerberos protocol. This change to domain controllers should reduce the number of lockouts that occur because of user error. This was back ported to Windows 2000 as well. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, May 02, 2006 5:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dealing with authentication errors after password change? Accounts tend to get locked out, helpdesk tickets generated, and it all works itself out. If it keeps happening the helpdesk can escalate the username to me and I'll go check the eventlog database and figure out where they're logged in. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, May 02, 2006 5:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dealing with authentication errors after password change? How do other admins deal with the copious authentication errors a user will generate after the user resets his password with a CNTL+ALT+DEL and stays logged into the session with his old credentials? Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute?
If you are running SharePoint and are not running Windows Server 2003 R2 with the latest version of WSS then the default behavior for SharePoint is to use NTLM, no matter what the client setting. You can change this but that is another conversation. That being said do you know what DC is actually authenticating the user? Depending on where the account resides you would be using NTLM chaining through secure channels to get to a DC in the account domain so to build that chain you can use nltest /sc_query:domain on the SharePoint server to see what DC in the domain in which the SharePoint server is located it has its secure channel with. If the user account is in the same domain as the SharePoint server you are finished if not you need to go to that DC and then run nltest /sc_query:user domain to find out who he has his secure channel setup to for that particular user domain. You would then be able to query the lastlogon attribute on that DC, since that attribute is not replicated. You can also turn up netlogon logging on the SharePoint server to log where the requests are going. The problem that you will have is if the Secure Channel changes then you would need to go to the new DC to get the lastlogin time. As you can see this is not an easy problem to solve and even if you were at Windows Server 2003 FFL and had lastlogontimestamp it is loosely replicated so you are still not going to get the behavior you want. Kerberos makes this even more difficult as the client is talking to the KDC to get the ticket and that KDC could be any DC in its domain and not predictable. As far as the types of logins that update that attribute I believe all of them do now though there may be a few that still do not I will try to work on getting a list. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Tuesday, April 25, 2006 2:58 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute? Thanks Steve for you reply.Yes DCs are running Win2003 SP1, and webservers are win2003 sharepoint servers.If it helps : DFL is windows 2000 mixed and FFL is Windows 2000so i guess, Lastlogontimestamp is not populated and thats why we are looking at lastlogon attribute. I also checked on clients that "Enable Windows integrated authentication" is enabled, which would try to use kereberos first then NTLM. (as per KB problem is when NTLM is used)anything else i should check? Also, as deji requested, list of logon types which update this attribute will also be of great help.--Kamlesh~"Be the change you want to see in the World"~~~~~ On 4/24/06, Steve Linehan [EMAIL PROTECTED] wrote: Are you running Windows Server 2003 SP1? We fixed a number of scenarios where this attribute was not updated for other logon types in SP1. Here is just one example: http://support.microsoft.com/default.aspx?scid=kb;[LN];886705 Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Monday, April 24, 2006 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute? Dear list members,My apologies if this sounds OT.We have some win2k3 web servers which use windows integrated authentication, and managers now want to display lastlogon time for all users, who use those web servers. Problem is lastlogon attribute of users is not updated when user login to those web servers, it is only updated when users do normal windows interactive logon. does anyone know what kind of user login web servers do for integrated authentication?And can it be changed such a way that, it results in lastlogon time stamp getting updated?-- Kamlesh~ "Be the change you want to see in the World"~--
RE: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute?
The version of WSS that ships in the box(WSS SP2)with R2 enables Kerberos by default upon installation of that component so if he had deployed Windows Server 2003 R2 and installed SharePoint which uses WSS then his default config for SharePoint would have been to use Kerberos as thedefault authenticationmechanism. Before this you had to use the following KB to change it: http://support.microsoft.com/kb/832769/en-us. In the upgrade scenario I am not sure if we will switch it out from under you or not. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Tuesday, April 25, 2006 10:28 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute? When you say "not running R2"... what exactly about "R2" causes a change?You imply that the application of R2 causes additional changes in the default behavior?(and just so you know the reason why I'm being nitpicky... SBS 2003 gets disk quotas now out of the R2 bits...but nothing else)Steve Linehan wrote: If you are running SharePoint and are not running Windows Server 2003 R2 with the latest version of WSS then the default behavior for SharePoint is to use NTLM, no matter what the client setting. You can change this but that is another conversation. That being said do you know what DC is actually authenticating the user? Depending on where the account resides you would be using NTLM chaining through secure channels to get to a DC in the account domain so to build that chain you can use nltest /sc_query:domain on the SharePoint server to see what DC in the domain in which the SharePoint server is located it has its secure channel with. If the user account is in the same domain as the SharePoint server you are finished if not you need to go to that DC and then run nltest /sc_query:user domain to find out who he has his secure channel setup to for that particular user domain. You would then be able to query the lastlogon attribute on that DC, since that attribute is not replicated. You can also turn up netlogon logging on the SharePoint server to log where the requests are going. The problem that you will have is if the Secure Channel changes then you would need to go to the new DC to get the lastlogin time. As you can see this is not an easy problem to solve and even if you were at Windows Server 2003 FFL and had lastlogontimestamp it is loosely replicated so you are still not going to get the behavior you want. Kerberos makes this even more difficult as the client is talking to the KDC to get the ticket and that KDC could be any DC in its domain and not predictable. As far as the types of logins that update that attribute I believe all of them do now though there may be a few that still do not I will try to work on getting a list. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Tuesday, April 25, 2006 2:58 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute?Thanks Steve for you reply.Yes DCs are running Win2003 SP1, and webservers are win2003 sharepoint servers.If it helps : DFL is windows 2000 mixed and FFL is Windows 2000so i guess, Lastlogontimestamp is not populated and thats why we are looking at lastlogon attribute. I also checked on clients that "Enable Windows integrated authentication" is enabled, which would try to use kereberos first then NTLM. (as per KB problem is when NTLM is used)anything else i should check? Also, as deji requested, list of logon types which update this attribute will also be of great help.--Kamlesh~"Be the change you want to see in the World"~~~~~ On 4/24/06, Steve Linehan [EMAIL PROTECTED] wrote: Are you running Windows Server 2003 SP1? We fixed a number of scenarios where this attribute was not updated for other logon types in SP1. Here is just one example: http://support.microsoft.com/default.aspx?scid=kb;[LN];886705 Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Monday, April 24, 2006 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute? Dear list members,My apologies if this sounds OT.We have some win2k3 web servers which use windows integrated authentication, and managers now want to display lastlogon time for all users, who use those web servers. Problem is lastlogon attribute of users is not updated when user login to those web servers,
RE: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute?
Are you running Windows Server 2003 SP1? We fixed a number of scenarios where this attribute was not updated for other logon types in SP1. Here is just one example: http://support.microsoft.com/default.aspx?scid=kb;[LN];886705 Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Monday, April 24, 2006 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute? Dear list members,My apologies if this sounds OT.We have some win2k3 web servers which use windows integrated authentication, and managers now want to display lastlogon time for all users, who use those web servers. Problem is lastlogon attribute of users is not updated when user login to those web servers, it is only updated when users do normal windows interactive logon. does anyone know what kind of user login web servers do for integrated authentication?And can it be changed such a way that, it results in lastlogon time stamp getting updated?-- Kamlesh~ "Be the change you want to see in the World"~
RE: [ActiveDir] How to verify which DC authenticated a user account?
Just be aware that the %Logonserver% value is not updated if the secure channel drifts after logon and does not necessarily mean that the server has always had its secure channel with that machine. This can happen if the machine experiences and error communicating with that logon server. If you run nltest /sc_query:domain on the member server where domain is the member servers domain then you can see what DC you currently have your secure channel with and are doing pass-through authentication with. You can then go to that DC and if the accounts are from another domain find out what DC in that account domain he has his secure channel with. You basically need to build the pass-through authentication path which can be quite complex when many domains and servers are involved. This is assuming that you are using NTLM. If you are using Kerberos then the machine that you have your secure channel with and the logonserver variable only tell you a state in time and this can change over time and unless it is doing protocol transition or delegation the client is doing all of the heavy lifting up front to get a ticket. If you think you are having performance issues because you are going to a remote DC and believe you are using NTLM you can turn up netlogon logging with a dbflag of 0x2080 for general logging and see how long it is taking as well as if the secure channel is failing or changing. Once you find the DCs involved you could use Server Performance Advisor (Assuming Windows Server 2003) and see what type of authentication load they are handling. I mention this because I have seen cases where group expansion is killing the DCs response time and that will be apparent in the SPA report. Also be aware that if these reporting servers or database server, depending on exactly how it is configured, are doing many NTLM pass-through authentications a second that they could be running into the maxconcurrentapi limitation that is described here: http://support.microsoft.com/kb/326040/en-us and can try bumping it up to see if it helps, this is assuming everything else checks out and is healthy and that you are using NTLM. I assume that these servers pulling reports are doing it on behalf of users and authenticating those users, i.e. a multi-tiered application? Anyway probably more information that you really wanted to know but if you can fill in some of the blanks on what errors you are seeing and the typical access flow for the servers involved we may be able to comment more. Also where on which servers you are seeing the authentication errors will also help. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, April 14, 2006 1:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to verify which DC authenticated a user account? Hi Brian, Thanks again for the command %Logonserver%, after you sent it, I remembered the command I was looking for is Set , I just forgot, and your system variable reminded me. Thanks again. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Thursday, April 13, 2006 5:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to verify which DC authenticated a user account? Well.. I am not really supposed to list any server names, or mention our OU structure on the list. But, if you're savy, you can verify my email domain name and figure out where I am having the problem at. :-) I am thinking this may be a cost issue for our site, and the Oracle server's are going to the wrong DC for authentication! Thank you so much for the help! Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, April 13, 2006 5:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to verify which DC authenticated a user account? You work for an imaginary company? :-) You can check the secure channel using nltest, as follows: Nltest /sc_query:domain /server:server_name e.g Nltest /sc_query:MYDOM /server:MYSRV Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, 14 April 2006 11:53 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to verify which DC authenticated a user account? Greetings, We seem to be having intermittent authentication errors on several servers that are pulling reports from our SQL Oracle database clusters and the site that I am located in at an imaginary company. I remember using a command in NT 3.51 that told you the PDC or BDC that processed your logon or authenticated you, but forgot it, I tried srvinfo and it only shows you the PDC emulator in the domain, is there a recommended tool for active directory? We don't have USRSTAT,is that it? Is it NETDOM or NLTEST? Also when I run NETDIAG the following errors appear: Kerberos test.
RE: [ActiveDir] How Secure is a Domain Controller?
The following series of articles on passwords vs. pass phrases by Jesper also discusses this: http://www.microsoft.com/technet/community/columns/secmgmt/sm1104.mspx Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, April 03, 2006 9:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How Secure is a Domain Controller? Sorry one more thing.. in a Center for Internet Security project to set Baseline Operational Security Standards for protecting sensititive data (both PII and business confidential)... they are actually leaning strongly towards recommending two factor authentication and not just passwords and a protection factor. When LC5 was still around (before Symantec killed it) cracking 7 or less character passwords on a network with lanmanhashes enabled ... those got broken pretty quickly. 14 characters breaks the lanmanhash setting. Ergo the recommendaton for long passphases for admin accounts (and Joe has stated that they lock up the 500 accounts and make those pass phrases even longer than that) Someone stated today that maybe we need to consider a password policy that does not require a change out of every 90 days as that does tend to make the person weaken a password or reuse something. If instead they used a long and nasty passphrase and only changed it once a year.. would that actually be less risk than one changed more often? Food for thought. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: The Magical Number Seven: http://www.well.com/user/smalin/miller.html Protecting your Windows Network, Dr. Jesper Johansson and Steve Riley site that study regarding the ability of humans to process information. (Good book btw..entertaining security book) Amazon.com: Protect Your Windows Network : From Perimeter to Data (Microsoft Technology): Books: Jesper M. Johansson,Steve Riley: http://www.amazon.com/gp/product/0321336437/sr=8-1/qid=1144114723/ref= pd_bbs_1/103-7946857-8851835?%5Fencoding=UTF8 Al Mulnick wrote: I'd be very interested to see the technical data that backs that up (not you Neil, but the folks from Microsoft that make that claim.) Is it related to people being able to remember a limited number of numbers perhaps?(http://www.youramazingbrain.org.uk/yourmemory/digitspan.htm ) Or is there some other empirical data that says that passwords with greater than 7 characters is likely to be repeated? Or could it be that somebody at MS is sore that NTLM had to be upgraded to beyond two 7 char strings? ;) Seriously, I see nothing like that here http://www.indevis.de/dokumente/gartner_passwords_breakpoint.pdf or here http://www.passwordresearch.com/stats/statindex.html I think that's a load of bologna to make a suggestion to keep passwords to less than 7 characters. If anything, there's no reason not to make them longer as the more characters that have to be guessed, the harder it becomes to brute-force hack them (assuming that passwords are not stored as two 7 char strings, right?) That allows the system to be even more useful because you can then extend the attempts prior to lockout making the system more useful to the end user. In the end, there are some assertions that passwords by themselves are coming to the end of their useful life. Hmm.. Maybe. But I think coupled with good lockout policies, strong passwords mean we can mitigate the risks for most situations. Not forever of course. I'd love to see some of that data that shows that users repeat after 7 characters if anyone has it. Al Just for fun: http://plus.maths.org/issue31/features/eastaway/index-gifd.html On 3/6/06, [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: The use of 20 char passwords caught my eye. In previous discussions with MS et al, it was suggested that the majority of users would simply repeat a (at most ( 7 char password n times, so as to meet the 20+ char pw policy requirement. As a result, I have heard it suggested that in reality (not theory) a pw policy of more than 7 chars is actually counter productive. [Any pw policy with a multiple of 7 chars being most counter productive.] Food for thought, neil *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Ulf B. Simon-Weidner *Sent:* 05 March 2006 08:35 *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] How Secure is a Domain Controller? I've written down some related thoughts once: http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.asp x
RE: [ActiveDir] Daylight savings query
You can also query the setting using w32tm.exe /tz Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, April 03, 2006 8:57 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Daylight savings query Yeah in hindsight I think I can achieve bon bon status but just putting the stupid key in group policy. Dean Wells wrote: I don't query the existing setting, I simply set it ... via site linked policies or script or whatever's your preference -- Control.exe TIMEDATE.CPL,,/Z (GMT-08:00) Pacific Time (US Canada); Tijuana alternatively: RUNDLL32.EXE SHELL32.DLL,Control_RunDLL TIMEDATE.CPL,,/Z (GMT-08:00) Pacific Time (US Canada); Tijuana ... where '(GMT-08:00) Pacific Time (US Canada); Tijuana' is the timezone being set. The supplied value behind /Z is from the Display value under the registry key - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones' You can also use the Std value in those registry keys as well, this is equivalent to (GMT-08:00) Pacific Time (US Canada); Tijuana: Control.exe TIMEDATE.CPL,,/Z Pacific Standard Time -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, April 03, 2006 9:20 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: Re: [ActiveDir] Daylight savings query Without walking around to every stupid new desktop every year and getting mad at Dell that they aren't picking up the right timezones I want to set at my desktop eating bon bons and scan them and see if they've screwed up and the Secretaries will be booking appointments in the wrong time zones and the bosses will be getting mad (Bosses get the new computers.. Secretaries get the old ones that already have the time zone problem resolved) Basically I'm asking... what do you guys do in big server land to ensure that every stupid Outlook is booking appointments in the proper zone? Dean Wells wrote: It's late so that could well be it ... but I'm afraid I'm uncertain as to what it is you've not already ascertained for yourself? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, April 03, 2006 8:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Daylight savings query (someone go pick Joe up off the floor after I post this.. I'm actually asking about scripting) Is there a script that can be run to determine what a computers time zone status is? Some WMI status in AD or something? It seems like everytime I get new computers in the office...the OEM image that we don't nuke and pake means that they do not grab the autotmatically adjust setting, even though it's checked, so they end up staying on standard time rather than flipping to daylight savings and thus causing appointments to be off an hour. Okay so the setting is under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneIn formation But the values under there are not jumping out at me as to which one the machine is broadcasting? Is it Daylight Bias RegDword ffc4 ...as if I flip the gui on and off.. that value goes down to 0 ...wonder if I can group policy that reg key valuehmm How to configure daylight saving time dates for Brazil: http://support.microsoft.com/?kbid=317211 Use a script to delete DisableAutoDaylightTimeSet from the registry. When deleted 'Automatically adjust clock for daylight savings changes' in Windows will be checked. The registry key is: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneIn formation -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] View Delegated Tasks?
You can however use something like DSRevoke to build a report: http://www.microsoft.com/downloads/details.aspx?FamilyID=77744807-c403-4bda-b0e4-c2093b8d6383DisplayLang=en. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Thursday, March 23, 2006 4:40 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] View Delegated Tasks? You can't. The delegate wizard is write only. You have to look at the security descriptor on the OU and figure out what changes were made. Wook Lee AD Architect - HP IT From: [EMAIL PROTECTED] on behalf of Harding, DevonSent: Fri 3/17/2006 10:52 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] View Delegated Tasks? When I delegate permissions to a group in ADUC to a specific OU (using the Delegate Wizard), how can I go back and see who was delegated and the permissions? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intendedrecipient and may contain confidential or privileged information.If you are not the intended recipient, any disclosure, copying, useor distribution of the information included in the message and anyattachments is prohibited. If you have received this communicationin error, please notify us by reply e-mail and immediately andpermanently delete this message and any attachments. Thank You.
RE: [ActiveDir] DNS Server will not Start
So there is a reason that this occurs and I am one of the people responsible for the change in behavior, I did not write the code but did track down the cause and worked to rectify it after a customer took an outage because of it. As others have stated using that registry key can be dangerous and there is a reason that DNS now waits until initial sync before loading a zone and will continue to retry loading the zones after initial sync is performed. So why do we now check for initial sync. Well it turns out that there are situations where DNS will recreate containers and records when it does not find them locally. When this occurs these changes can replicate out and cause conflicts in the Directory which can cause the entire DNS structure to appear to go away and cause havoc in the environment. It is also the reason that we often see replication storms with respect to the SOA record. So in SP1 and actually a hotfix before SP1 we now require an initial sync to ensure that we have the up to date zone information before loading it. The errors are benign and are there to inform you why the zone/zones have not loaded but the DNS server will continue to wait and once the initial sync is complete will then load the zones. This is here to protect you and while it does slow down loading the zones is an important trade off for system stability. The following link has a description of the fix that made this change: http://support.microsoft.com/kb/836534/en-us. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Umer Y Sent: Sunday, March 19, 2006 9:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Server will not Start Ofcourse it is a work around to the real issue. I suppose I should have added that to my first email. Also, while digging it up my emails a little further, here is the snippet that I was given that: This registry key value controls if it should do initial synchronization with other domain controller when it starts up. If it is 0, it won't synchronize with other domain controllers during startup. - Now, if there are replication or other issues with the Domain Controller[s], ofcourse using the key will only take you as far as logging on to the machine, if at all, but not any further with resolving the real issues of the machine. So yes Joe, you are very correct that there are probably bigger issues with the environment and the domain controller itself to actually cause the problem, and definately something to be looked at. -Umer. On 3/19/06, joe [EMAIL PROTECTED] wrote: I would have to agree with David's statement. Umer, if the DC is overly busy, it isn't a reason to start disabling things that protect it so that it starts up. You get all of the stuff off of it or build it up so that the crap doesn't slow it down so much. When a DC comes back up, it needs to figure out where it is at in relation to everything else in its world in case someone asks it something important that it is supposed to be relatively authoritive for. This registry key says don't do that check, just assume everything is fine. If you have one DC in your forest, this is safe, otherwise, it very well may not be. I don't think there is any public documentation for that key, at least I don't recall seeing any. I also don't think I ever saw it up on Premier. I would wonder how someone got ahold of it as it really probably shouldn't be given out by PSS that much. The only time I recall seeing it anywhere is in the source code file that documents all of the NTDS registry keys. There are other publicly undocumented keys that will work too but are also quite bad unless you really have a strong understanding of what it is they do and why. Overall it sounds like there are at least a baker's dozen of issues with the configuration of the DCs at that location and they need to be worked through and whomever has made the decisions to load the kitchen sink needs to be sat down and had a discussion with concerning the relative importance of DCs to everything else in the forest. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Sunday, March 19, 2006 6:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Server will not Start Setting that Registry value is not the answer. You're disabling a safety mechanism in AD. Don't change random Registry values in AD unless you know what they're used for. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Sunday, March 19, 2006 5:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Server will not Start Many thanks for this - I spent all weekend looking for a resolution and the PSS answer was ignore it or
RE: [ActiveDir] Restricting a drive mapping to only from specific systems ( Limiting a computer account to specific workstations )
Well one way to accomplish it would be to use IPSEC in require mode and define a rule that only that workstation could contact it as well as any other systems you want to admin it from. You could specify ESP Null so that you do not have the encryption overhead and simply use IPSEC for authorization. I would suggest looking at the following White Papers: Domain Isolation: http://www.microsoft.com/technet/itsolutions/msit/security/ipsecdomisolwp.mspx MSIT Security: http://www.microsoft.com/technet/itsolutions/msit/security/mssecbp.mspx(Look at the section on Source Code Server Segmentation as well as the table titled Data Class vs. Security Control Examples) In a nutshell Microsoft secures its source code servers in the manner that you describe below using IPSEC. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Wednesday, March 01, 2006 5:04 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Restricting a drive mapping to only from specific systems ( Limiting a computer account to specific workstations ) Hi Everyone, I have another requirement and I am not sure how I can do this. One of our Systems Engineers needs to restrict a user account from mapping a drive from any other system in the domain then from the system that we allow it to be logged in on. In other words he does not want a user logged in with his or hers AD Account, then mapping a drive to the shared resource with the restricted account. Is this possible? Sincerely, Jose MedeirosMCP+I, MCSE, NT4 MCT408-765-0437 Direct408-449-6621 Cell It seems that there is an upper limit of 1024 characters even in AD2K3 using ADUC. http://msdn.microsoft.com/library/default.asp?url=""> But, I am told that you can use adsiedit to edit "userWorkstations" value to add more than 63 machines, though it is not Microsoft supported. On 2/27/06, Medeiros, Jose [EMAIL PROTECTED] wrote: Greetings, A have quick question. I have a requirement to limit a single account to logon to only specific systems (About 120). Although I have not tried this, one of our Systems Administrators stated that he was limited to adding only about 30. Does any one know if there is a work around? Has this number been increased in Active Directory 2003? Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell
RE: [ActiveDir] Authentication for kiosk machines - straw poll
You can encrypt the password used for autologon. There is an API to do this but it is also included in the tweakui power toy. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Thursday, February 16, 2006 5:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Authentication for kiosk machines - straw poll So for those of you that need to put Internet kiosks in place somewhere in your organization, in a lobby or a dining hall or something, how do you handle the initial authentication when that machine boots up? Hardcoding the account credentials in the Registry under the ~\Winlogon key? (Clear-text embedded password. Bleach.) Or do you use a third-party add-on to make that bit go? Just curious to see what other people are doing. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Machine account password Change
You can reset the machine account password a few ways even for member servers: 1) Use nltest /SC_CHANGE_PWD:DomainName 2) Edit the following registry value setting it to 0 and then restart netlogon: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters \maximumpasswordage Be aware that if you have a policy set that does not allow a password to be changed more than once a day, i.e. a minimum password age that this will be enforced for machine accounts so you may need to disable that policy for you testing. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, December 29, 2005 5:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine account password Change I think there is a misunderstanding here NETDOM will not reset passwords of domain members. NETDOM RESET will reset the secure channel, that isn't the machine account password. NETDOM RESETPWD is only for domain controllers. I believe there is an API call to do this, I just don't think anyone has exposed it in a tool. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parag Nagwekar Sent: Thursday, December 29, 2005 6:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine account password Change Check this out http://support.microsoft.com/kb/216393/EN-US/ command is netdom reset 'machinename' /domain:'domainname' -Parag -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Thursday, December 29, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Machine account password Change For testing one of our product, I want to reset machine account password of my exchange member server. How can I do it manually? I set the maximum password age to 1 day. But I can not wait one day to run one test. I need to do it many time manually. Please help -Manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Event 2069 - AD Quota tracking table?
This error is benign as long as you are not enforcing quotas for Active Directory objects and if you are the only downside is that a user may be able to create more or lessobjects than they should. The issue can occur on a DC or a GC and one of the ways it occurs is when SDProp fixes-up missing or corrupt security descriptors on objects. To correct the problem you can boot the machine into Directory Service Restore Mode and then run the following commands from ntdsutil: Semantic database analysisrebuild quotaOnce done, reboot back to DS check for 2065 which signals a successful rebuild of the table. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, December 28, 2005 9:29 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Event 2069 - AD Quota tracking table? Hard to say how much of a problem that is. I've seen references to it being a problem with the GC which is why I asked. It would be something where you'd want to remove the GC role, and then re-add it/rebuild it based on what I've seen. I wouldn't have expected it to go away completely unless it only occurs at specific times such as during backup (not that it would be triggered that way in this case). Given the timing, it might be a good idea to schedule it for rebuild at some point in the future post holiday season. If for nothing else to ensure it is in a known good state and has no legacy issues. Al On 12/28/05, Freddy HARTONO [EMAIL PROTECTED] wrote: Hi Al Yup this is a GC. Frankly I'm not sure what has been done to this DC as I just started to takeover the DC yesterday. One of the things that was done most probabbly was to standardize antivirus to SAV 9 - thats pretty much it. Seems like after another reboot this error doesnt appear yet (only 1 event in the log). Should this be a major alarm - is it recommended to demote and re-promote? (I hate to do this at holiday season :) Thanks Al! Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Wednesday, December 28, 2005 10:08 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Event 2069 - AD Quota tracking table? Freddy, is this also a global catalog server? It is a concern as this should not be something you see on normal servers. Also, can you describe what changed in the environment recently and what else is running on that server? Al On 12/28/05, Freddy HARTONO [EMAIL PROTECTED] wrote: Hi all Found an interesting events, havent been able to find any additional info on this yet, but from the look of it its only happening in this domain controller and it seems to be responding well. Is this much of a concern? Event Type: Error Event Source: NTDS General Event Category: (9) Event ID: 2069 Date: 12/28/2005 Time: 12:58:28 PM User: NT AUTHORITY\ANONYMOUS LOGON Computer: SELSOS01 Description: Active Directory detected corrupt counts in the quota-tracking table. Quota enforcement may not behave correctly until the quota-tracking table is rebuilt. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] Ntds.dit file corruption
We do not replicate corruption so if you have local corruption as noted below there is no worry that it would replicate around to other servers in the environment. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Monday, December 05, 2005 1:04 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time):- Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5.- Try swapping out the hard drives, one at a time.- Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ... Cheers, BrettSh On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define "ntds.dit file corruption" for us? What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have any. From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 12/3/2005 10:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ntds.dit file corruption SBS box [with Windows 2003 sp1 since September] RE: [ActiveDir] Database Corruption: http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant and PSS have been banging on.Could not get the services back running, changed the RPC service to local system and some service came back up [I don't have all the details but the
RE: [ActiveDir] Ntds.dit file corruption
For full disclosure I am no longer in the Microsoft Services organization, I was the last time Joe talked to me where I was an Advisory Support Engineer (AKA Alliance Support). I am now a Product Technology Specialist for Directories and Identities in Microsoft's technical pre-sales organization. Not that it changes the answer below. :-) Thanks, -Steve Steve Linehan | Technology Specialist Directories Identities | South Central District | Microsoft Corporation From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, December 05, 2005 2:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption RODCs are a LongHorn feature. It will be one-way replication to the RODCs. They will not replicate out anything. If you are on the LongHorn beta you should be able to test this right now. But as Steve (one of the really good PSS guys)said and I can concur as I have seen my share of corrupted DITs, the corruption doesn't replicate. In every case I have seen it the problem has been hardware failure or a firmware/driver matchup issue in the disk subsystem. Fixing them is easy, wipe the machine, do hardware tests, if it passes, do it again. If it passes do it a third time. If it passes, reload and repromo. If it fails one of the tests, get the hardware fixed, reload, and repromo. If SBS, well you have all sorts of issues in that basket as your eggs leak. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Monday, December 05, 2005 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Phil RenoufSent: Monday, December 05, 2005 11:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway
RE: [ActiveDir] AD related? not really...
As I recall the tweakUI powertoy that can be downloaded from the microsoft.com web site will allow you to set autologon credentials that are encrypted as described below. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mitch ReidSent: Thursday, December 01, 2005 2:25 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] AD related? not really... It claims it does although I have not verified it. I suppose you could check the registry referenced in: http://support.microsoft.com/?kbid=315231 On 12/1/05, AD [EMAIL PROTECTED] wrote: Thanks Mitch, Very interesting. The source code is different then the actual executable. I sending an email to the developer. Hopefully he will reply. You wouldn't know if it encrypts the password would you? Yves From: Mitch ReidSent: Thu 01/12/2005 10:57 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] AD related? not really... Sysinternals has a free utility that will automate the process: http://www.sysinternals.com/Utilities/Autologon.html On 12/1/05, AD [EMAIL PROTECTED] wrote: We have workstation that are not added to the domainand are configured to autologin. The username and password are duplicated on our domain which allows the local accountto use network resources. We would like to join the workstation to the domain (to many advantages to explain why) and eliminate the local account and modify the autologin to use a domain username and password. This causes a problem as the username and password is stored in the registry as plain text. Asanyone everhad to deal withthis scenario? I have found the following articles (below) that describe that the Autologon password can either be plain text in the registry (Winlogon key) OR encrypted into a Local Security Authority (LSA) secret. Does anyone knowto use these functions to encrypt the username and passwordin the registry? http://www.microsoft.com/technet/security/tools/mbsa1/wp.mspx (Autologon section) http://msdn.microsoft.com/library/default.asp?url="">
RE: [ActiveDir] Slow LDAP responses
Another good way to see what is going on when this occurs is to get your hands on a tool called adperf which was the predecessor to Server Performance Advisor and runs on Windows 2000. It will help analyze what is pegging the CPU. Since you appear to have a support incident open with Microsoft the engineer should be able to provide this and help interpret the report it outputs. Server Performance Advisor can really help at looking at a variety of performance problems on Windows Server 2003 and can be coerced into compiling the output from ADPerf so that it is in a more friendly XML format than what ADPerf spits out however both are very readable and can really cut down the time needed to analyze performance problems. The netlogon logging can help if you know what you are looking for but netlogon is usually just one piece of the pie. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Thursday, December 01, 2005 5:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Slow LDAP responses A couple of things: 1) Have you looked at what AV solution is on your clients? If you are using McAfee VSE 8.0 with Patch 11, they are your problem. There is a patch 11a http://groups.google.com/group/microsoft.public.windows.server.general/b rowse_thread/thread/e12b2c63af204b54/b62bcff6d7e9ce1e?lnk=stq=dfssvc.ex e+high+cpurnum=2hl=en#b62bcff6d7e9ce1e http://groups.google.com/group/microsoft.public.windows.server.dfs_frs/b rowse_thread/thread/1ec1e082e8880bb1/8b3c12d674c8c1f2?lnk=stq=dfssvc.ex e+high+cpurnum=1hl=en#8b3c12d674c8c1f2 2)I had another situation going on with high CPU of LSASS and it was virus activity from unprotected workstations, I ended up setting NETLOGON logging: http://support.microsoft.com/?id=109626 a value of 2080 (HEX) Then taking the netlogon.log file created in the debug directory and loading that into NLPARSE.EXE to look for clients with tons of failed authentication requests. Everyone of the clients found with lots of failed authentication requests had AV stopped on it and eventually found to be infected with BAT\mumu From my experience with these events, they are a symptom of something hammering your DCs. Good luck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, December 01, 2005 3:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Slow LDAP responses How odd, that jumped offlist and then back onlist... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Whaley, Greg Sent: Wednesday, November 30, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: FW: [ActiveDir] Slow LDAP responses Thanks Joe. In further research I have found when LDAP response is slow that LSASS.exe is taking up most of the process. I have also seen in other post that there may be a beta patch from MS for lsass.exe high utilization. So know I am waiting for MS to get back to me. Greg Whaley Consulting LAN Engineer St. John Health 586-753-1594 -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 7:43 PM To: Whaley, Greg Subject: RE: [ActiveDir] Slow LDAP responses ADFIND will take any standard LDAP query and execute it, you generally just specify the base (-b) and a filter (-f) and add -selapsed to get the timing values. So for instance, you could do Adfind -b dc=domain,dc=com -f ou=* -dn -selapsed To get a list of all DNs of Ous in domain.com joe -Original Message- From: Whaley, Greg [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 23, 2005 8:56 AM To: joe Subject: RE: [ActiveDir] Slow LDAP responses Joe, I do not really understand the command syntax any way you can give me an example? Greg Whaley Consulting LAN Engineer St. John Health 586-753-1594 -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, November 04, 2005 4:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Slow LDAP responses How do you know the responses are slow? What aspect is slow? Is it the name resolution, the bind, the query itself, what? Usually the first thing I would do in something like this is look at the -selapsed output of adfind which breaks up timing by various things done in the query Elapsed Times: LDAP_OPEN 0.016 ROOT_DSE 0 LDAP_OPEN_20 PARTIAL_SCHEMA 0.407 LDAP_UNBIND_2 0 LDAP_SEARCH_INIT 0 LDAP_GET_PAGES 0.062 LDAP_UNBIND0 That can help narrow it down. If the open is really slow then I get out a network sniff and start watching the name res process, etc and usually find the problem there. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Whaley, Greg Sent: Friday, November 04, 2005 2:24 PM To:
RE: [ActiveDir] some users do not have allow inheritable permissions set
Just out of curiosity when you go back an hour later is the box unchecked? This really sounds like the work of AdminSDHolder and the users in question are likely members of protected groups. If you have not looked at the following Knowledge Base article youmay wantto see if this is what you are running into:http://support.microsoft.com/default.aspx?scid=kb;en-us;817433. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben D. KusaSent: Wednesday, November 09, 2005 7:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] some users do not have allow "inheritable permissions" set some users do not have allow "inheritable permissions" set. The only way I have found to reset that setting is to open each user and check that option off. I have tried running dsacls OU=ou,DC=dc,DC=dc /I:T and it seems to go through ok but does not reset that option. Should that work? Or does anyone know any other way to set that option on multiple users Thanks Ben
RE: [ActiveDir] No Kerberos referral
Just to clarify you do not have a Cross Forest Trust in place but instead a down level trust between domains in the two separate forests? If a cross forest one way trust is in place then yes you should see a referral if it is a down level trust then no you will not see a referral but as you have observed in some cases Kerberos will work. If you did not choose to create a Cross Forest Trust in this scenario was there a specific reason? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hagberg Lars Sent: Sunday, November 06, 2005 5:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] No Kerberos referral Hi all, I have a problem getting Kerberos authentication to work between two forests Should Kerberos referrals work between domains in different forests trusted by a one way trust? Client and user in intranet domain, resource in extranet forest Windows Server 2003 SP1 Windows XP SP2 Extranet domain trusts intranet domain Trust is working for NTLM and Kerberos but I don't get a referral to the extranet domain when I expect it, I get one when specifically asks for a referral ticket but not when just asking for service ticket Have anyone else been able to get Kerberos referrals to work with a one way external trust? Any proposal what the problem could be if it should work with the one way trust? Regards Lars Hagberg _ Lars Hagberg Volvo Information Technology AB Dept 2560, VBBVN SE-405 08 Göteborg, Sweden Telephone: +46 31 32 21934 E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Log file size not reaching the maximum log file size
This problem is described in http://support.microsoft.com/default.aspx?scid=kb;en-us;312571 . The fix allows the automatic archiving of the log files but does not explain why the problem occurs. The issue is around the fact that a contiguous block of memory is needed for all of the log files and this is not pre-allocated so if the memory on the box becomes fragmented, which it will, then eventually the contiguous block can not be allocated and we will stop logging. Generally we recommend not setting the total size of all logs over 300 MB and using the feature above for the security log so that it can be automatically archived. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 8:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Log file size not reaching the maximum log file size We recently increased our auditing and set the security log file size to 1G, but the security log over-writes at about 409MBs; thus never reaching the 1G security log file size. Windows 2003 Domain Controllers Anyone with any ideas ?
RE: [ActiveDir] Security Log file size not reaching the maximum log file size
And just so you do not think I am making this up here is the public reference that documents it: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/5a86ab0f-c7eb-45ed-9e5e-514173bf15e3.mspx :-) Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, October 18, 2005 10:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security Log file size not reaching the maximum log file size This problem is described in http://support.microsoft.com/default.aspx?scid=kb;en-us;312571 . The fix allows the automatic archiving of the log files but does not explain why the problem occurs. The issue is around the fact that a contiguous block of memory is needed for all of the log files and this is not pre-allocated so if the memory on the box becomes fragmented, which it will, then eventually the contiguous block can not be allocated and we will stop logging. Generally we recommend not setting the total size of all logs over 300 MB and using the feature above for the security log so that it can be automatically archived. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 8:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Log file size not reaching the maximum log file size We recently increased our auditing and set the security log file size to 1G, but the security log over-writes at about 409MBs; thus never reaching the 1G security log file size. Windows 2003 Domain Controllers Anyone with any ideas ?
RE: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs
Title: Domain Controller Consolidation utilizing Dual Core CPUs In my opinion the biggest bang for the buck is consolidation of servers to the 64bit platform assuming of course that you have a large enough database, greater than 3 GB, and put enough memory in the servers to cache the entire database contents. I have come across very few cases where Domain Controllers were truly CPU bound and in almost all cases they were I/O bound. These servers perform extremely well for servers that are taking large amounts of ldap traffic from applications like Exchange. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mauricio F. Funes Sent: Thursday, October 13, 2005 11:56 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs Gentleman, Does anyone has any information regarding Domain Controller consolidation utilizing Dual Core CPUs? I have not seen anything reports from microsoft indicating the performance boost gained by utilizing Dual Core technology on DCs. It is presume to be much better that the 20% to 30% gain from Hyper Threading CPUs. Thanks for your input, Mauricio Funes [EMAIL PROTECTED] Pasadena, CA
RE: [ActiveDir] user log on to only one workstation at a time
As far as success there are many enterprise customers leveraging this utility and it went through several rounds of beta testing before being released. It was written to replace the resource kit utility cconect.exe as a more reliable and scalable tool. As far as administration the tool has a nice MMC console. I am not sure what you mean by shadow in this context so I can not answer that question. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Friday, September 30, 2005 7:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] user log on to only one workstation at a time Hey Steve, Thanks dear but please help me out and tell me the scope of success when using this utility. is this reliable? what about administration, is it easy or will become hard? is it possible that i can shadow any user in organization? Thanks again! On 9/29/05, Steve Linehan [EMAIL PROTECTED] wrote: Take a look at limitlogon that is described in this article: http://www.microsoft.com/technet/technetmag/issues/2005/05/UtilitySpotlight/default.aspx. It also has a link to download the tool. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ravi Dogra Sent: Thursday, September 29, 2005 8:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] user log on to only one workstation at a time How can i restrict some or all domainUsers to Log on toonly one (any one) workstation at a time. Thanks in advance guys -- Ravi Dogra 9899647200 This e-mail, together with any attachments, is confidential. It may be read, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mail or telephone. Please then delete it from your computer without making any copies or disclosing it to any other person. -- Ravi Dogra 9899647200 This e-mail, together with any attachments, is confidential. It may be read, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mail or telephone. Please then delete it from your computer without making any copies or disclosing it to any other person.
RE: [ActiveDir] Stopping DHCP from issuing an address
This is a hard problem to solve today. You can do things like 802.1x so that devices have to authenticate before getting on the network however there are many obstacles here. The future direction is a solution called Network Access Protection (NAP) which is being worked on for then next generation of Windows, more details here: http://www.microsoft.com/windowsserver2003/technologies/networking/nap/default.mspx . This will allow scenarios like you mention below where addresses will be given out but that the clients access to the network is restricted until he has met the requirements for using the network, i.e. a Statement of Health (SOH). Today the client has to have an address to bootstrap the network so your only course of action would be to use 802.1x which requires hardware that supports that functionality or to have reservations for all clients and no additional addresses available (this really is not workable in most environments and you might as well go static). Thanks, -Steve From: [EMAIL PROTECTED] on behalf of Rocky Habeeb Sent: Thu 9/29/2005 8:53 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Stopping DHCP from issuing an address Dear List, We have a conference room which has a network port which is directly connected to the internet cloud so that visitors who want to hook up notebooks and get out can. That port does not allow network access. Yesterday, a department head asked us if one of his visitors could use that port and we said go-ahead. Next thing I know, there's a new PC on my network in a workgroup. An investigation revealed that this guest was taken to an open cubicle which had a PC turned off and he unplugged it and plugged his notebook in and now my DHCP server says, Oh here's an address for you, live it up. This disturbs me. I was not aware of this problem in DHCP and thought that unless a PC was joined to the domain, it could not get an address or live on the network. But now that I think about it, I guess I somewhat understand as Workgroups need to be created and they will all need addresses. Nonetheless, is there a way to tell DHCP Hey, NO ADDRESSES unless a Domain Administrator grants it? Thanks in advance for any advice. RH __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] user log on to only one workstation at a time
Take a look at limitlogon that is described in this article: http://www.microsoft.com/technet/technetmag/issues/2005/05/UtilitySpotlight/default.aspx. It also has a link to download the tool. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Thursday, September 29, 2005 8:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] user log on to only one workstation at a time How can i restrict some or all domainUsers to Log on toonly one (any one) workstation at a time. Thanks in advance guys -- Ravi Dogra 9899647200 This e-mail, together with any attachments, is confidential. It may be read, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mail or telephone. Please then delete it from your computer without making any copies or disclosing it to any other person.
RE: [ActiveDir] OT: Guest Access w/o Credential Prompt
What user name are you testing with? Is it unique meaning that the stand alone server you are trying to hit does not have a local account by the same name? If the user account name is on both machines we will not fall back to guest. Also if the names are unique have you tried giving anonymous access? Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, September 29, 2005 4:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Guest Access w/o Credential Prompt Tried that too. No luck. From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, September 29, 2005 2:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Guest Access w/o Credential Prompt I believe the guest account should have no password. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, September 29, 2005 3:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Guest Access w/o Credential Prompt Hello: Please do not flame me for asking this. I would like to open a non-domain Windows Server 2003 box for anonymous Guest access to two shares and a printer without being prompted from the client. (Yes, I am aware that MS has spent lots of time making this very difficult to accomplish and that it is a huge no no. Client is aware of why this is so bad and demands it anyway.) Based on various Googling, I have tried the following steps in order (from my notes): To allow guest access - enabled Guest account - explicitly added Guests group to Share permissions and NTFS permissions for Data and Finance shares - Added Guest user to Security Settings\Local Policies\User Rights Assignments\Access this computer from the network - Gave Guest user a password. - Set Security Settings\Local Policies\Security Options\Network Access: Do not allow anonymouns enumeration of SAM accounts to Disabled. (Default is Enabled) - Set Security Settings\Local Policies\Security Options\Network Access: Let Everyone permissions apply to anonymouns users to Enabled (Default is Disabled) - Set Security Settings\Local Policies\Security Options\Network Access: Sharing and security model for local accounts to Guests only (Default is Classic) Despite all this, the user still gets prompted for credentials. Thanks.
RE: [ActiveDir] LDAP filters
I also find this article helpful: http://msdn.microsoft.com/library/default.asp?url=""> Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, September 26, 2005 4:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP filters This is always a good starting place if you find it consumable: http://www.faqs.org/rfcs/rfc2254.html Optionally, using the ADUC MMC Snap-in you can build some Saved Queries and see how they are built (Query String) by the snap-in to learn some of the intricacies. Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, September 26, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP filters Where can I fine more info on creating LDAP filters? Im trying to have Exchange 2003 Address List display users on multiple Mailbox Stores and Groups. I have to do a custom LDAP search to accomplish this. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] Domain Controller Security
That is the acronym for a Microsoft Technical Account Manager (TAM). Customers with custom support such as Premier Supportgenerally have a TAM that is assigned to them. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, DanSent: Friday, September 23, 2005 11:26 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain Controller Security Excuse my ignorance, but what is a TAM? Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASBSent: Friday, September 23, 2005 5:46 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Controller Security Andknowing it, I can always take extra precautions. The knowing it consists of "don't do it, because you can't secure it" There are no extra precautions to take. Certainly, you can increase your auditing, but you could do that now without knowing anything else. basically, 25% more prepared and secure against this type of attack is better than 0%. The more people that know, the higher the potential of attack. And, as folks have pointed out, since there are no viable workarounds, it doesn't help anyone to have the number of potential attackers increased. Call your TAM and see if he or she will provide enough details for you to feel comfortable. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 9/23/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: I have to disagree a bit here... Certainly, obscuringofinformationis not the way to feel secure. If I don't know, how it is done, then how do I know, that I will be able to detect it, and trace it.Andknowing it, I can always take extra precautions. Which I think, better than not knowing it at all. basically, 25% more prepared and secure against this type of attack is better than 0%. and certainly it helps calibrate how much paranoid I have to be. :-) I would like to know, how it is done, asour team is currently migratingsome good number ofdomains to single domain. And we are going to give localguys rights to logon to DC for some system maintenance purposes, till final single domain is cleaned up and we revert back to core team for day-to-day maintenance. So I am very much interested in knowing it. On 9/23/05, joe [EMAIL PROTECTED] wrote: The docs are wrong. Many of us have been hounding MS on this for years. They really started straightening out docs with K3. Some of the older 2K docs still suggest this security boundary at the domain. It really came to a head when Lucent put out a paper on this and it started getting quoted in the newsgroups and some of us just flamed the crap out of it. No one here or anywhere should really publish how to exploit rights on a DC to take over a forest. The answer is pretty self-evident if someone understands the underpinnings and processes used in AD and since we can'tfully protectagainst it, it is better left undocumented. If there was a guaranteed safe way to protect ourselves, then we could publish thatworkaround and some time later publish the issue. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of DeStefano, DanSent: Thursday, September 22, 2005 2:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain Controller Security I thought that in ad domains are considered security boundaries. In the cert exams, namely the 70-219, they are considered as such. Also, how would a domain admin of a child domain elevate his privileges? Dan From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Thursday, September 22, 2005 1:28 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Controller Security Even as a domain admin of a Child domain they will still be able to munge your forest or elevate their priviledges. The security boundary in AD is at the forest, not the domain. Phil On 9/22/05, Gideon Ashcraft [EMAIL PROTECTED] wrote: The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain). So, if there is only oneserver in the site and its a DC,
RE: [ActiveDir] Removing SidHistory from a group object- help
Here is a sample VBS script that can do this: http://support.microsoft.com/default.aspx?scid=kb;en-us;295758 Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, August 24, 2005 10:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Removing SidHistory from a group object- help I have a problem: some of our support staff migrated Domain Admin Sids from some NT4 domains to our main Active Directory User domain Domain Admins group: thus allow the Active Directory Domain Admins group to be able to access many of our NT4 domains without requesting access. I have tried to delete the sidhistory using ADSI edit, but get access denied. I have full control of the object, so I believe that the DSA is telling me no. Anyone have a good method to remove sidhistory attibutes ? Thank You ! And have a nice day !
RE: [ActiveDir] Cross forest trust: universal groups
The documentation is wrong and I thought it had been cleaned up in all places but apparently not. A good summary of group scope for cross forest trusts is: Scenario: Forest A B have a cross forest trust. Security Group usage: Only the following security principals from Forest A can be used in Forest B: 1. User Accounts 2. Global Groups 3. Universal Groups The above can be added to only the following in Forest B: 1. Domain Local group 2. BuiltIn group on a local computer 3. BuiltIn group on a Domain Controller 4. Directly in an ACL Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, August 22, 2005 11:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cross forest trust: universal groups Thanks Dean That makes absolute senseonly it conflicts with what is says here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/517b4fa4-5266-419c-9791-6fb56fabb85e.mspx Create a universal group in the resource forest, and then add all global groups from the other forest (or forests) that need similar access as members of the universal group. For example, both the employees in the Sales Department and Accounting Department global groups located in ForestA use similar print resources located in ForestB. Create a universal group called Print Users in Other Forests in ForestB, and add both the Sales Department and Accounting Department global groups from ForestA as members. Universal groups are used primarily to group together two or more global groups (possibly from other forests) into one group for the resource domain. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, 23 August 2005 1:46 p.m. To: Send - AD mailing list Subject: RE: [ActiveDir] Cross forest trust: universal groups A user's Universal group membership must be able to be fully enumerated against a forest-local GC, thus you cannot add users to a Universal beyond their own forest. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, August 22, 2005 9:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Cross forest trust: universal groups Hi all I'm missing something here and I'm hoping you can give mea pointer. Scenario: 2 single domain forests connected by a forest trust. I want to add global groups from ForestB to a universal group in ForestA. I go into ADUC in ForestA and click on the Members tab and select Add. When I go to the Locations tab to select the domain from ForestB I only see ForestA as an available option. Surely I should be able to add resources from ForestB to this universal group? If I try to do the same thing with a domain local group in ForestA, I see the the domain in ForestB as an available option, so it looks like the trust is ok. Any thoughts? Tony This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
RE: [ActiveDir] w2k sp4 Kerberos changes?
A network trace from the server getting the error would be helpful. I imagine you are not getting past the MIT KDC who should be passing back a referral to the Windows KDC. With a trace from the client we can see what is being requested and what errors are returned. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Al Lilianstrom wrote: Thanks for all the advice. Checked our srv records and they returned all the DCs. It was resolvable from our MIT/Unix systems. The strange part is that between 5:30 and 7:15 this morning access using MIT credentials started working. I'm searching for a reason as to why it happened but no one admits to changing anything. And strangely enough - 2 hours later they started failing again. This is very weird. The Windows event logs are of no help. Any other ideas? al Steve Linehan wrote: I should clarify that I would not expect the MIT KDCs to be using the SRV records however we have seen problems where load from Windows clients, because we had limited servers actually registering SRV records, could cause anomalies. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - Miscellaneous failure (Cannot re solve KDC for requested realm). All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] w2k sp4 Kerberos changes?
Unfortunately additional logging for the KDC in Windows 2000 is thin. This was added in Windows Server 2003 but we are not there. I really believe that we are not getting to the Windows 2000 KDC anyway, i.e. the client is handed back the referral and then failing to resolve the name. In the referral I assume it is just passing back the generic FQDN for the Windows 2000 domain and the client is querying for that A record and getting back a list of all DCs in that domain. Can you use nslookup to get a list of DCs and then ensure that they are all reachable from the clients perspective? This is assuming that you are getting the same error as before. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 11:01 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Steve Linehan wrote: A network trace from the server getting the error would be helpful. I imagine you are not getting past the MIT KDC who should be passing back a referral to the Windows KDC. With a trace from the client we can see what is being requested and what errors are returned. I'm trying to arrange that but the system initiating the query to AD is in a different division and is not always easy to work with. A check of our MIT KDC logs looked ok. We see the initial request to the MIT KDC, another for pre-auth, and then the forwarding to AD. Is there a way to see something similar to a MIT KDC log in AD? I've looked for a way to who is getting tickets and when but have never found it. al Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Al Lilianstrom wrote: Thanks for all the advice. Checked our srv records and they returned all the DCs. It was resolvable from our MIT/Unix systems. The strange part is that between 5:30 and 7:15 this morning access using MIT credentials started working. I'm searching for a reason as to why it happened but no one admits to changing anything. And strangely enough - 2 hours later they started failing again. This is very weird. The Windows event logs are of no help. Any other ideas? al Steve Linehan wrote: I should clarify that I would not expect the MIT KDCs to be using the SRV records however we have seen problems where load from Windows clients, because we had limited servers actually registering SRV records, could cause anomalies. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - Miscellaneous failure (Cannot re solve KDC for requested realm). All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com
RE: [ActiveDir] AD attribute
If you are running Windows Server 2003 SP1 I would investigate using the confidential attribute setting. Take a look at the Confidential attributes section of this resource http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/T echRef/e3525d00-a746-4466-bb87-140acb44a603.mspx for more details. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 19, 2005 11:55 AM To: activedirectory Subject: [ActiveDir] AD attribute My org wants to put social security #'s in AD as a user attrib(hidden from users, of course) How would I go about doing this? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
If you want to split hairs the largest token a user can have may only contain 1024 SIDs that is if they want to logon. This is a hard coded limitation and we actually publish 1015 since there are built-in groups that get added to every user token. This is documented here: http://support.microsoft.com/default.aspx?scid=kb;en-us;328889. That being said that does not mean that the authorization protocols or applications leveraging those protocols can/will work with tokens that large. For example IIS has limits on the amount of data that is exchange in a get request etc... So even though the underlying OS can build a token with 1024 SIDs in it does not mean everything is going to work. This limit of 1024 SIDs has been in the product for sometime, at least since NT 4.0 and likely earlier. What has changed over time is the way the different authentication providers and applications handle this as referenced in the various Emails below. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 19, 2005 12:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Having read through most of the replies on this, it's interesting that there was an internal (to Microsoft - just to clarify) discussion on this same topic yesterday. Seems that a customer was having problems with a function calling APIs for SID creation when the SID exceeded 68 bytes. I'll let you determine from that statement what the largest supported SID is. :o) So, take that number into 12000 and I suspect that will give you a clear idea of how memberships would begin to cause issues with Kerberos. However, as al mentions, this can be increased but I don't know what the max supported size is. And, as to figuring out the actual size of a SID, yes there is. I don't have the algorithm at my finger tips, but it can be derived pretty easily - more easily with C/C++, or Perl, IIRC. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 7:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Database Corruption
Well the first thing I always recommend is to try an offline defrag as it is possible that the corruption is in an index, i.e. metadata, that can be rebuilt. If the offline defrag fails then restoring from backup or repromoting will be your next step. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Friday, August 19, 2005 6:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Database Corruption My preferred approach would be to demote the box to member server and re-promote to a domain controller to ensure a good fresh copy of the DIT. YMMV as the specific requirements at your location may prevent this. We have only run into this once early in our AD days and this was the approach we used with good success. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Friday, August 19, 2005 3:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Database Corruption Started getting the error below a few weeks ago on one of our DCs. My first reaction is to run a non-auth restore from a day before this started happening and let replication take care of everything else. Any reason NOT to do this? Im concerned that this may happen again and wasnt able to find anything specific to the error below. Besides calling PSS any thing else I should look into before restoring? This box holds all FSMO roles, Win2k3, server for NIS. TIA -alex Event Type: Error Event Source: NTDS ISAM Event Category: Database Page Cache Event ID: 475 Date: 8/19/2005 Time: 2:00:24 PM User: N/A Computer: DC Description: NTDS (528) NTDSA: The database page read from the file C:\WINNT\NTDS\ntds.dit at offset 665067520 (0x27a42000) for 8192 (0x2000) bytes failed verification due to a page number mismatch. The expected page number was 81184 (0x00013d20) and the actual page number was 2349964126 (0x8c119b5e). The read operation will fail with error -1018 (0xfc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.
RE: [ActiveDir] FW: Not quite 64-bit yet, just slightly above 32
Can you verify that the version of SP1 on the problematic machine is actually the RTM version of SP1. There was a report of this problem with beta versions of SP1 but it was fixed by RTM of SP1. Can you run winver and report the full build number? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 18, 2005 10:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FW: Not quite 64-bit yet, just slightly above 32 I meant to send this here earlier, but I ended up sending it to Tony instead :) -- Since applying the latest series of Patches release last week, I have been experiencing the following symptoms: When trying to connect from any other system to shares on this 2K3-SP1 system on which the patches have been installed, I get: Arithmetic result exceeded 32 bits. Admin tools and connection to DC FROM this system is also whacked. Connecting other systems work, as long as the system is not a DC. What gives? Now, being a lay-person and all, I am thinking, IF I can cause my 32-bit OS to computationally exceed 32, maybe I can save money here and not have to buy those expensive 64-bit thingamajigs. Stay tuned. I think I'm up to 35-bits now. Should be close to 64 very soon :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] w2k sp4 Kerberos changes?
I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - Miscellaneous failure (Cannot re solve KDC for requested realm). All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] w2k sp4 Kerberos changes?
Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - Miscellaneous failure (Cannot re solve KDC for requested realm). All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FW: Not quite 64-bit yet, just slightly above 32
Yes if you are running R2 via the tech beta then you are running a Release Candidate of SP1 and it was around that build that the problem was introduced. I am not aware of a newer version of the R2 bits that correct this problem, i.e. one that runs on RTM SP1, which is generally available. Did you get R2 through the tech beta or are you a TAP customer? Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FW: Not quite 64-bit yet, just slightly above 32 I think you are onto something there, Steve J Just finished doing a compare and the problematic system has some traces of R2 on it. Apologies for the screen-shot, but its faster ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 8:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FW: Not quite 64-bit yet, just slightly above 32 Can you verify that the version of SP1 on the problematic machine is actually the RTM version of SP1. There was a report of this problem with beta versions of SP1 but it was fixed by RTM of SP1. Can you run winver and report the full build number? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 18, 2005 10:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FW: Not quite 64-bit yet, just slightly above 32 I meant to send this here earlier, but I ended up sending it to Tony instead :) -- Since applying the latest series of Patches release last week, I have been experiencing the following symptoms: When trying to connect from any other system to shares on this 2K3-SP1 system on which the patches have been installed, I get: Arithmetic result exceeded 32 bits. Admin tools and connection to DC FROM this system is also whacked. Connecting other systems work, as long as the system is not a DC. What gives? Now, being a lay-person and all, I am thinking, IF I can cause my 32-bit OS to computationally exceed 32, maybe I can save money here and not have to buy those expensive 64-bit thingamajigs. Stay tuned. I think I'm up to 35-bits now. Should be close to 64 very soon :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] w2k sp4 Kerberos changes?
I should clarify that I would not expect the MIT KDCs to be using the SRV records however we have seen problems where load from Windows clients, because we had limited servers actually registering SRV records, could cause anomalies. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - Miscellaneous failure (Cannot re solve KDC for requested realm). All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
